Description
This article describes how to import a new local certificate after renewing the existing local certificate by third party (such as GoDaddy) but without the private key. In this example, assume that the new certificate is generated from third party and the third party certificate server used the same private key that have been used for generating the existing certificate.
Scope
FortiGate.
Solution
- Show the existing certificate detail by showing full vpn certificate local <certificate name>.
show full-configuration vpn certificate local OldCertificate
config vpn certificate local
edit "OldCertificate"
set password ENC w1n0MtV3gH/VRsZdJXBg9aad5I4ng7vQlica3DxPxLuBxxgyp+8rb1CHYjqG4CiVVjON7DaSDSnt/eQLDekSOzniswfZJ6uiweYjwsg3peIX0ceKRE/nU4AY/eAFh8vRNGlybaL+848PEtIyMtPtN4Lkmmb2IyGeLS8KkKmdLqjPaLM8cJZup81O+gPGvFTy/k8LTw==
set comments ''
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIvMDdxmHgiIoCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECJmLmZycbhgeBIIEyA/vYCH2xO2f
……………………………………………………………………………………….
……………………………………………………………………………………….
qC2x6S8DxXf7B7pfn32Tueu7si8bn1daYf37LCFZUJISrSgBLoSJ6rjAAPIrWHB7
3VBiCR3tQUe0C+yYfh9zvQ==
-----END ENCRYPTED PRIVATE KEY-----"
set certificate "-----BEGIN CERTIFICATE-----
MIIFQTCCBCmgAwIBAgITSAAAAAI4aZeP8ZjX1wAAAAAAAjANBgkqhkiG9w0BAQsF
ADBUMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghXaW4t
……………………………………………………………………………………….
……………………………………………………………………………………….
nKQo0fGHU0NAi0sDiTF9HpsEoj2WhBT3vVNp5sKwyWHztvcbOAOBUgIwvRz07H29
9865Gag=
-----END CERTIFICATE-----"
set range global
set source user
set source-ip 0.0.0.0
set ike-localid-type asn1dn
set enroll-protocol none
next
end
- Copy 'set password ENC ....... ' and 'set private-key ........ ' as yellow highlight.
- Create a new certificate then paste password and private-key from 2).
config vpn certificate local
edit <new certificate name>
set password ENC <paste here>
set private-key <paste here>
- Then open the new certificate with text editor such as Notepad and copy certificate text start from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- then paste the new certificate.
config vpn certificate local
edit <certificate name>
set certificate <----- Insert a quotation mark ("), then press Enter and paste the certificate content. Insert another quotation mark (") and press Enter.
end
If the user is on Multi-VDOM, the commands must be run on the Global VDOM.
config global
config certificate local
edit [certificate name]
set certificate <----- Insert a quotation mark ("), then press Enter and paste the certificate content. Insert another quotation mark (") and press Enter.
end
After that, check on the local certificate on System -> Certificates to see the new certificate. If the Certificates menu is not available, enable Certificate on Feature Visibility first System -> Feature Visibility and enable 'Certificates'.
