Created on
‎09-26-2014
08:25 AM
Edited on
‎01-16-2025
10:49 PM
By
Anthony_E
Description
Scope
Solution
When a CSR is created on the FortiGate it will generate two "things": the CSR itself, and a matching private key.
When the signed certificate is uploaded for the first time, it was matched to the private key.
After certificate expires, in FortiGate can be found the private key and the "old" certificate as an object in "config vpn certificate local", unless it is already deleted.
Assuming that there isn't sent any new CSR to CA, that implies that the new certificate CA Authority provided, still matches the 'old' private key.
The goal is to have the old privkey + new certificate in a single object in the FortiGate configuration.
That can be achieved by one of the two methods described below:
- Manually edit the old/existing object and replace the old 'set certificate' value with the new one.
- Upload the privkey and the new certificate as a new object. For that, it is needed to export the private key out of the configuration, which can only be done if the password is known for the private key. (if the password is set manually during CSR generation and still remembered, this can be done; otherwise, it is not possible)
- Open the renewed certificate (provided by the CA) in text editor and copy the content.
Note that regardless of certificate's file extension, the certificate must be PEM encoded, not DER encoded. If it is DER encoded, the words 'BEGIN CERTIFICATE' or 'END CERTIFICATE' will not be visible.
- Connect to the FortiGate unit via SSH to import the new signed certificate.
config global
config vpn certificate local
For example:
config global
> mPjDQDYkYHKcTrGa6aH7e1w1uM7kdaBAjyAgM7xcmuTrsCeLYfd+BwIDAQABo4ID
> TDCCA0gwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIorRWhO7dYIKtkziB9KY0
> -----END CERTIFICATE-----"
Standalone VDOM:
config vpn certificate local
> mPjDQDYkYHKcTrGa6aH7e1w1uM7kdaBAjyAgM7xcmuTrsCeLYfd+BwIDAQABo4ID
> TDCCA0gwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIorRWhO7dYIKtkziB9KY0
> -----END CERTIFICATE-----"
- To make the renewed certificate effective, check on where the certificate is used "linked" unset and set the certificate:
- For an Admin HTTPS server certificate:
unset admin-server-cert
end
config sys global
set admin-server-cert [name] <- Select the certificated used for admin HTTPS access.
end
- For certificates used for SSL VPN:
unset servercert
end
set servercert [certificate name] <-Select the certificated used for SSLVPN access.
end