FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssriswadpong
Staff
Staff
Article Id 192999

Description

 

This article describes how to import a new local certificate after renewing the existing local certificate by third party (such as GoDaddy) but without the private key. In this example, assume that the new certificate is generated from third party and the third party certificate server used the same private key that have been used for generating the existing certificate.

 

Scope

 

FortiGate.

Solution

 

  1. Show the existing certificate detail by showing full vpn certificate local <certificate name>.

 

show full-configuration vpn certificate local OldCertificate

 

config vpn certificate local

 

    edit "OldCertificate"

 

        set password ENC w1n0MtV3gH/VRsZdJXBg9aad5I4ng7vQlica3DxPxLuBxxgyp+8rb1CHYjqG4CiVVjON7DaSDSnt/eQLDekSOzniswfZJ6uiweYjwsg3peIX0ceKRE/nU4AY/eAFh8vRNGlybaL+848PEtIyMtPtN4Lkmmb2IyGeLS8KkKmdLqjPaLM8cJZup81O+gPGvFTy/k8LTw==

 

        set comments ''

 

        set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----

 

MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIvMDdxmHgiIoCAggA

 

MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECJmLmZycbhgeBIIEyA/vYCH2xO2f

 

……………………………………………………………………………………….

 

……………………………………………………………………………………….

 

qC2x6S8DxXf7B7pfn32Tueu7si8bn1daYf37LCFZUJISrSgBLoSJ6rjAAPIrWHB7

 

3VBiCR3tQUe0C+yYfh9zvQ==

 

-----END ENCRYPTED PRIVATE KEY-----"

 

        set certificate "-----BEGIN CERTIFICATE-----

 

MIIFQTCCBCmgAwIBAgITSAAAAAI4aZeP8ZjX1wAAAAAAAjANBgkqhkiG9w0BAQsF

 

ADBUMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghXaW4t

 

……………………………………………………………………………………….

 

……………………………………………………………………………………….

 

nKQo0fGHU0NAi0sDiTF9HpsEoj2WhBT3vVNp5sKwyWHztvcbOAOBUgIwvRz07H29

 

9865Gag=

 

-----END CERTIFICATE-----"

 

        set range global

 

        set source user

 

        set source-ip 0.0.0.0

 

        set ike-localid-type asn1dn

 

        set enroll-protocol none

 

    next

 

end

 

  1. Copy 'set password ENC ....... ' and 'set private-key ........ ' as yellow highlight.

  2. Create a new certificate then paste password and private-key from 2).

 

config vpn certificate local

     edit <new certificate name>
         set password ENC <paste here>
         set private-key <paste here>

 

  1. Then open the new certificate with text editor such as Notepad and copy certificate text start from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- then paste the new certificate.

 

config vpn certificate local
edit <certificate name>
set certificate <----- Insert a quotation mark ("), then press Enter and paste the certificate content. Insert another quotation mark (") and press Enter. 
end

If the user is on Multi-VDOM, the commands must be run on the Global VDOM.

config global
config certificate local
edit [certificate name]
set certificate <----- Insert a quotation mark ("), then press Enter and paste the certificate content. Insert another quotation mark (") and press Enter. 
end

After that, check on the local certificate on System -> Certificates to see the new certificate.  If the Certificates menu is not available, enable Certificate on Feature Visibility first System -> Feature Visibility and enable 'Certificates'.