Technical Tip: How to export SSL certificate from one FortiGate then import to another FortiGate

In this example, the SSL certificate from FortiGate A will be imported to another FortiGate B. This solution is helpful in scenarios where the firewall administrator does not have a backup or copy of the certificate files or the previous firewall administrator has resigned.

This procedure can be done only through the Command Line Interface (CLI). If a certificate will be exported or downloaded from the GUI, it is only possible to export the public key, but not the private key. It is necessary to use the CLI to extract both the private and public keys.

On FortiGate A:

FortiGate-A # conf vpn certificate local

FortiGate-A (local) # edit "certificate"       <----- Name of certificate.

FortiGate-A (certificate) # sh full-configuration
config vpn certificate local
edit "certificate"
set password ENC P@ssw0rd
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIQxqZHsMZ3q8CAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECB+Ft4ZVMQzEBIIEyAOCqcJt2RRr
+fVsIKgUwWBz0BBDUPbe9w2HFS8vxjTef/avvpVYr7W8CicoAfbcJwaLjRrVtw/b
-----END ENCRYPTED PRIVATE KEY-----"
set certificate "-----BEGIN CERTIFICATE-----

MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjA4MjIwMDAwMDBa
Fw0yMzA5MTcyMzU5NTlaMG4xCzAJBgNVBAYTAkFFMRAwDgYDVQQHEwdTaGFyamFo
-----END CERTIFICATE-----"

end

Copy the configuration and then, access the FortiGate B.

On FortiGate B:

Paste the configuration taken from FortiGate A to FortiGate B:

After running the above CLI commands, the certificate should be imported on FortiGate B.

Related documents:

Certificates

Technical Tip: FortiGate HTTPS/SSL Certificate Installation (PFX, PKCS12 and PEM)