1). Create a CA with OpenSSL.
# req -new -x509 -days 3650 -keyout caprivatekey.pem -out cacertificate.pem
NOTE: cacertificate.pem is the public key and should be imported into the FortiGate.
2). Generate a Certificate Request on the FortiGate and download it.
3). Sign the FortiGate certificate.
# x509 -req -in VPNSSL.csr -CA cacertificate.pem -CAkey caprivatekey.pem -CAcreateserial -out VPNSSL.cer -days 3650 -sha256
4). Import the signed certificate (VPNSSL.cer) into the FortiGate as 'local certificate'. This can now be used in IPSec or SSLVPN configuration as a server certificate.
Note: The certificates and private keys that were signed and generated should be located in the 'bin' folder of OpenSSL(i.e. C:\Program Files\OpenSSL-Win64\bin).
5). Create user certificate.
# req -new -nodes -out usercert.csr -keyout usercert.key
# x509 -req -in usercert.csr -CA cacertificate.pem -CAkey caprivatekey.pem -CAcreateserial -out usercert.cer -days 3650 -sha256
# pkcs12 -export -out usercert.pfx -inkey usercert.key -in usercert.cer
6). Upload cacertificate.pem to FortiGate as CA certificate. Bind this CA_Cert_X to the PKI users.
7). Import the usercert.pfx certificate into the Personal Section on the Certificates management console.