FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lfrancelj
Staff
Staff
Article Id 192834

Description

 

This article describes how to generate a CSR on FortiGate and export the certificate with private key so it can be used for some other Fortinet products.

 

Scope

 

FortiGate.

Solution

 

  1. Go to System -> Certificates and select '+Generate', which will open a 'Generate Certificate Signing Request'.
  2. Enter all details in the CSR.

 
  • In 'Subject Alternative Name', make sure to enter details in the correct format as 'Attribute name': Value, for example, DNS:FQDN or DNS:fortigate.domain.local
  • 'Password for private key' is mandatory to export the private key and use it on another machine.
 
In case the password is not entered here, FortiGate will generate a random password and encrypt the private key to make it secure.

Note.
Fortinet cannot assist with private key password recovery.
 
  • Select 'OK' when finished.

  1. After the CSR is created, it will be visible in the 'Local Certificate' category.

 
JeanPhilippe_P_0-1751224841954.png

 

 

  1. Select the newly created CSR and select 'Download'.
This will download the .csr file in the browser and will make it possible to use it to issue the certificate on the root CA server.
Open the .csr file in Notepad:
 
-----BEGIN CERTIFICATE REQUEST-----MIIC5jCCAc4CAQAweDELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVN0YXRlMQ0wCwYD
VQQHEwRDaXR5MQwwCgYDVQQKEwNPUkcxCzAJBgNVBAsTAk9VMRAwDgYDVQQDEwcx

5yN/0aRPjUbSxKczkQxQfw7gvQPjieI1IRIk9TduYj/ic0DO1ch5Yau7+hEusR5a
7cSFo9S94oT6ZHFq22noaBF86l5VKArARqc=
-----END CERTIFICATE REQUEST-----

  1. When the certificate is issued by the root CA, make sure to download it in Base64 format.
  2. Import the issued certificate to FortiGate by selecting Import -> Local Certificate, which will give an option to upload the certificate from the unit.
  3. After the certificate has been imported, it looks like the example below:

JeanPhilippe_P_1-1751224926747.png 

 

  1. The certificate can now be downloaded from the GUI by selecting the 'Download' button.
  2. A private key matching the same certificate can be collected from the CLI.
  3. Login to FortiGate with an SSH client like Putty and type in the following:
 
config vpn certificate local
    edit [certificate_name]
    show full
 
  1. By running commands from the previous step, FortiGate will display the encrypted private and public certificates.
  2. The output looks similar to example below:

 

config vpn certificate local

    edit "new-certificate"

        set password ENC "xbhxFaf5XBhM8swWpprSCYI6SLBe3/AMOn/Mj7xatDqFENQXjjXPmD2VXYuYN6zks3O36ECCkxX2ksQkEoyBPke9fV0rT08or7vtfB9tlN8fWA5SWJ5J9Gs            > KBLk9WdWpDDwVsio7CaVYx24hX2/98jFNkCgQ90PDz8M6CX9ZboQHLemJgX0h88P5EsVrPhaVqT/PEw=”

        set comments ‘’

        set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCgU1YXilYKBW2gag

        …
        g5vtXWbV3vM8mWMAou4qAR6X/k+5usIqYzqB67wFEMXsYkQ8vb0
        -----END ENCRYPTED PRIVATE KEY-----"
        set certificate "-----BEGIN CERTIFICATE----MIID2jCCAsKgAwIBAgIEVC8u3jANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMC
        …
        WY1CW4nQSamY6of2lmQbjfUKNtuyS56Y3MhhfokI0IPPtEsrVpLu89VHyiCQMKpzRu
        -----END CERTIFICATE-----"
        set range global
        set source user
        set source-ip 0.0.0.0
        set ike-localid-type asn1dn
        set enroll-protocol none
    next
end
 
  1. From this output, copy the texts between and including:

 

"-----BEGIN ENCRYPTED PRIVATE KEY-----” AND "-----END ENCRYPTED PRIVATE KEY-----"

"-----BEGIN CERTIFICATE-----" AND "-----END CERTIFICATE-----"

 

  1. Paste these texts into a text editor (For example, Notepad or vim) and save each as a separate file, ensuring that the quotations are removed and that there are no empty spaces before or after the texts.
    For example, the private key text can be called 'key.pem' and the certificate can be called 'certificate.pem'.
  2. These files can then be used to import the certificate and private key onto another machine.

 

Related documents:

Generate a CSR

Technical Tip: Generate CSR via FortiGate CLI