FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lfrancelj
Staff
Staff
Article Id 192834
Description
This article describes how to generate CSR on FortiGate and export the certificate with private key so it can be used for some other Fortinet products.

Related link.
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/645186/generating-a-csr-on-a-fortigate

Solution
1) Go to System -> Certificates and select '+Generate' which will open a 'Generate Certificate Signing Request'.
2) Enter all details in the CSR.





- In 'Subject Alternative Name' make sure to enter details in correct format as 'Attribute name': Value, for example DNS:FQDN or DNS:fortigate.domain.local

- 'Password for private key' is mandatory  to export the private key and use it on another machine.
In case the password is not entered here, FortiGate will generate random password and encrypt the private key to make it secure.

Note.
Fortinet cannot assist with private key password recovery.

- Select 'OK' when finished.

3) After the CSR is created it will be visible in 'Local Certificate' category.




4) Select newly created CSR and select 'Download'.
This will download .csr file in the browser and will be possible to use it to issue the certificate on the root CA server.
Open the .csr file in notepad :(
-----BEGIN CERTIFICATE REQUEST-----MIIC5jCCAc4CAQAweDELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVN0YXRlMQ0wCwYD
VQQHEwRDaXR5MQwwCgYDVQQKEwNPUkcxCzAJBgNVBAsTAk9VMRAwDgYDVQQDEwcx

5yN/0aRPjUbSxKczkQxQfw7gvQPjieI1IRIk9TduYj/ic0DO1ch5Yau7+hEusR5a
7cSFo9S94oT6ZHFq22noaBF86l5VKArARqc=
-----END CERTIFICATE REQUEST-----
5) When the certificate is issued by the root CA make sure to download it in Base64 format.
6) Import issued certificate to FortiGate by selecting Import -> Local Certificate which will give an option to upload the certificate from the unit.
7) After the certificate has been imported it looks like below example:




8) Certificate can now be downloaded from GUI by selecting 'Download' button.
9) Private key matching the same certificate can be collected from CLI.
10) Login to FortiGate with some SSH client like Putty and type in following:

# config vpn certificate local
    edit [certificate_name]
    show full
11) By running commands from previous step, FortiGate will display encrypted private and public certificate.
12) The output looks similar as below example:
# config vpn certificate local
    edit "new-certificate"
        set password ENC "xbhxFaf5XBhM8swWpprSCYI6SLBe3/AMOn/Mj7xatDqFENQXjjXPmD2VXYuYN6zks3O36ECCkxX2ksQkEoyBPke9fV0rT08or7vtfB9tlN8fWA5SWJ5J9Gs            > KBLk9WdWpDDwVsio7CaVYx24hX2/98jFNkCgQ90PDz8M6CX9ZboQHLemJgX0h88P5EsVrPhaVqT/PEw=”
        set comments ‘’
        set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCgU1YXilYKBW2gag
        …
        g5vtXWbV3vM8mWMAou4qAR6X/k+5usIqYzqB67wFEMXsYkQ8vb0
        -----END ENCRYPTED PRIVATE KEY-----"
        set certificate "-----BEGIN CERTIFICATE----MIID2jCCAsKgAwIBAgIEVC8u3jANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMC
        …
        WY1CW4nQSamY6of2lmQbjfUKNtuyS56Y3MhhfokI0IPPtEsrVpLu89VHyiCQMKpzRu
        -----END CERTIFICATE-----"
    set range global
    set source user
    set source-ip 0.0.0.0
    set ike-localid-type asn1dn
    set enroll-protocol none
next
end
13) From this output, copy the texts between and including:
"-----BEGIN ENCRYPTED PRIVATE KEY-----” AND "-----END ENCRYPTED PRIVATE KEY-----"
"-----BEGIN CERTIFICATE-----" AND "-----END CERTIFICATE-----"
14) Paste these texts into a text editor (For example, Notepad or vim) and save each as a separate file, ensuring that the quotations are removed and that there is no empty spaces before or after the texts.
For example, the private key text can be called 'key.pem' and the certificate can be called 'certificate.pem'.
15) These files can then be used to import the certificate and private key onto another machine.


Related Articles

Technical Note: FortiGate - Generate CSR via CLI when Subject Alternative Name field is long

Technical Note : Extract a Private Key and Public Certificate from a FortiGate/FortiWiFi configurati...

Contributors