Description
This article describes how to generate CSR on FortiGate and export the certificate with private key so it can be used for some other Fortinet products.
Related link.
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/645186/generating-a-csr-on-a-fortigate
Solution
1) Go to System -> Certificates and select '+Generate' which will open a 'Generate Certificate Signing Request'.
2) Enter all details in the CSR.



This article describes how to generate CSR on FortiGate and export the certificate with private key so it can be used for some other Fortinet products.
Related link.
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/645186/generating-a-csr-on-a-fortigate
Solution
1) Go to System -> Certificates and select '+Generate' which will open a 'Generate Certificate Signing Request'.
2) Enter all details in the CSR.

- In 'Subject Alternative Name' make sure to enter details in correct format as 'Attribute name': Value, for example DNS:FQDN or DNS:fortigate.domain.local
- 'Password for private key' is mandatory to export the private key and use it on another machine.
In case the password is not entered here, FortiGate will generate random password and encrypt the private key to make it secure.
Note.
Fortinet cannot assist with private key password recovery.
- Select 'OK' when finished.
3) After the CSR is created it will be visible in 'Local Certificate' category.
In case the password is not entered here, FortiGate will generate random password and encrypt the private key to make it secure.
Note.
Fortinet cannot assist with private key password recovery.
- Select 'OK' when finished.
3) After the CSR is created it will be visible in 'Local Certificate' category.

4) Select newly created CSR and select 'Download'.
This will download .csr file in the browser and will be possible to use it to issue the certificate on the root CA server.
Open the .csr file in notepad :(
6) Import issued certificate to FortiGate by selecting Import -> Local Certificate which will give an option to upload the certificate from the unit.
7) After the certificate has been imported it looks like below example:
Open the .csr file in notepad :(
-----BEGIN CERTIFICATE REQUEST-----MIIC5jCCAc4CAQAweDELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVN0YXRlMQ0wCwYD5) When the certificate is issued by the root CA make sure to download it in Base64 format.
VQQHEwRDaXR5MQwwCgYDVQQKEwNPUkcxCzAJBgNVBAsTAk9VMRAwDgYDVQQDEwcx
…
5yN/0aRPjUbSxKczkQxQfw7gvQPjieI1IRIk9TduYj/ic0DO1ch5Yau7+hEusR5a
7cSFo9S94oT6ZHFq22noaBF86l5VKArARqc=
-----END CERTIFICATE REQUEST-----
6) Import issued certificate to FortiGate by selecting Import -> Local Certificate which will give an option to upload the certificate from the unit.
7) After the certificate has been imported it looks like below example:

8) Certificate can now be downloaded from GUI by selecting 'Download' button.
9) Private key matching the same certificate can be collected from CLI.
10) Login to FortiGate with some SSH client like Putty and type in following:
12) The output looks similar as below example:
For example, the private key text can be called 'key.pem' and the certificate can be called 'certificate.pem'.
15) These files can then be used to import the certificate and private key onto another machine.
9) Private key matching the same certificate can be collected from CLI.
10) Login to FortiGate with some SSH client like Putty and type in following:
# config vpn certificate local11) By running commands from previous step, FortiGate will display encrypted private and public certificate.
edit [certificate_name]
show full
12) The output looks similar as below example:
# config vpn certificate local13) From this output, copy the texts between and including:
edit "new-certificate"
set password ENC "xbhxFaf5XBhM8swWpprSCYI6SLBe3/AMOn/Mj7xatDqFENQXjjXPmD2VXYuYN6zks3O36ECCkxX2ksQkEoyBPke9fV0rT08or7vtfB9tlN8fWA5SWJ5J9Gs > KBLk9WdWpDDwVsio7CaVYx24hX2/98jFNkCgQ90PDz8M6CX9ZboQHLemJgX0h88P5EsVrPhaVqT/PEw=”
set comments ‘’
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCgU1YXilYKBW2gag
…
g5vtXWbV3vM8mWMAou4qAR6X/k+5usIqYzqB67wFEMXsYkQ8vb0
-----END ENCRYPTED PRIVATE KEY-----"
set certificate "-----BEGIN CERTIFICATE----MIID2jCCAsKgAwIBAgIEVC8u3jANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMC
…
WY1CW4nQSamY6of2lmQbjfUKNtuyS56Y3MhhfokI0IPPtEsrVpLu89VHyiCQMKpzRu
-----END CERTIFICATE-----"
set range global
set source user
set source-ip 0.0.0.0
set ike-localid-type asn1dn
set enroll-protocol none
next
end
"-----BEGIN ENCRYPTED PRIVATE KEY-----” AND "-----END ENCRYPTED PRIVATE KEY-----"
"-----BEGIN CERTIFICATE-----" AND "-----END CERTIFICATE-----"14) Paste these texts into a text editor (For example, Notepad or vim) and save each as a separate file, ensuring that the quotations are removed and that there is no empty spaces before or after the texts.
For example, the private key text can be called 'key.pem' and the certificate can be called 'certificate.pem'.
15) These files can then be used to import the certificate and private key onto another machine.
Related Articles
Technical Note: FortiGate - Generate CSR via CLI when Subject Alternative Name field is long