In this example, the SSL certificate from FortiGate A will be imported to another FortiGate B. This solution is helpful in scenarios where the firewall administrator does not have a backup or copy of the certificate files, or the previous firewall administrator has resigned.

This procedure can be done only through the Command Line Interface (CLI). If a certificate is exported or downloaded from the GUI, it is only possible to export the public key, but not the private key. It is necessary to use the CLI to extract both the private and public keys.

On FortiGate A:

FortiGate-A # config vpn certificate local

FortiGate-A (local) # edit "certificate"       <----- Name of certificate.

FortiGate-A (certificate) # show full-configuration
config vpn certificate local
    edit "certificate"
        set password ENC P@ssw0rd
        set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIQxqZHsMZ3q8CAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECB+Ft4ZVMQzEBIIEyAOCqcJt2RRr
+fVsIKgUwWBz0BBDUPbe9w2HFS8vxjTef/avvpVYr7W8CicoAfbcJwaLjRrVtw/b
-----END ENCRYPTED PRIVATE KEY-----"
set certificate "-----BEGIN CERTIFICATE-----

MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjA4MjIwMDAwMDBa
Fw0yMzA5MTcyMzU5NTlaMG4xCzAJBgNVBAYTAkFFMRAwDgYDVQQHEwdTaGFyamFo
-----END CERTIFICATE-----"

end

Copy the configuration and then access the FortiGate B.

On FortiGate B:

Paste the configuration taken from FortiGate A to FortiGate B:

Note:

Make sure the output from FortiGate A is copied and pasted line by line; otherwise, not all the commands will be accepted.

After running the above CLI commands, the certificate should be imported on FortiGate B.

Related documents:

Certificates

Technical Tip: FortiGate HTTPS/SSL Certificate Installation (PFX, PKCS12 and PEM)