Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
GW
Staff
Staff

Created on ‎07-15-2025 09:36 PM

Article Id 401153

Technical Tip: Migrate certificate from one VDOM to Global

Description This article describes how to operate certificates across VDOMs via CLI.
Scope FortiGate.
Solution

Generally, the certificate from Global is available for all VDOMs. When the CSR was generated for one specific VDOM, the signed certificate can only be imported into that VDOM and is only available for that VDOM, since the private key exists only in the VDOM. 

If it's been imported into Global, the error 'Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert.' will pop up.  

 

In some cases, if the CSR had been generated from VDOM and the certificate already signed, but it still requires applying the certificate into Global, to avoid the additional cost of signing a certificate, the following steps can be utilized.

 

  1. Extract the related certificate configuration from VDOM:

 

config vdom
  edit "VDOM_NAME"
config vpn certificate local
 edit "CERTNAME_UNDER_VDOM"
        set password ENC --omitted--==
        set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIM9lXIOIbdiICAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECMCypU4LU2egBIIEyKoEhpEEmBIj
eP5jHDKfETjZxyV9zDc54rX4ik01dejvmS4jG9G9+lIF6IxZ0AZVQHmJtaHvw2Ys
9QqI85UUpeagFFsqb5l4nohZk6Wv3/jIt6mQBkDASWTIutll9JZk9ISUS24rvw9f
nnhkwIfL3iPPmuNY94KPvYeW4aToiuvSBROW5ElNshthIDmp/a7YGyZ48liU++lu
--omitted-- 
ZueOpkqnyF3MJEhobldPjKxgeb/uqQUwEqQ6gq8PB44Xv+NmqQQ6uEzQAiOkpytQ
93aeRDi9hPQmq4FbZ1FUoa+U8/KOk7/awhItEgK/7s+qr1z6SUX3WnnF7BS1OlPH
FsTwQfGgXbAuGKyyC11i57d+5vGIJx7oUClkfgZj46fIhqde1D6Vfugt2UHm3GRm
FkU3KCGPJBChwSRB9N6yeZrhWCIv+mxqdm19mEZbeyjwclit++Fy14Vx/nficpdL
OkF9L+RKY6TPueY6Ww5bZg==
-----END ENCRYPTED PRIVATE KEY-----"
        set certificate "-----BEGIN CERTIFICATE-----
MIIDSTCCAjGgAwIBAgIIKz8UsnGeyDgwDQYJKoZIhvcNAQELBQAwIjELMAkGA1UE
BhMCQVUxEzARBgNVBAMTCkRDMi1TdWItQ0EwHhcNMjMwMTEwMDAwMDAwWhcNMjgw
MTA5MjM1OTU5WjAfMQswCQYDVQQGEwJBVTEQMA4GA1UEAwwHRkdUX0NMMTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMXm+SfOS5TG2T7hTE2YKu+WWlH3
hvcNAQELBQADggEBAIf50l4pv/MIrXikAMFIM/syzY7YTERv8IOFp0tpxv9QZSTW
--omitted-- 
33B0XNm+Mv7U1t54tCEDa6B35ZCscz1AJYlKyvHMhNMHF2FqHYrd0XgiJCEL1Usv
GWu8yUqaByq+TV+jDvm/DrRxF3ClYdsBkD4BsEwW06SwM5akn8feJ4aHU2CiGTKm
JOgCi79/LmGvHw1h/LlszyfTP7rg9B+1nH8sR7W9xnyUXbW8KCFches4jSdN6e70
iA4UNASYsQHdjFvbLK0TErF8xK0QiCR9Da93ttuZn7gC2ljQNZ1WuDUYONlVNepg
rbWb/RsnHKl229U8CtsYKC6SaMEP6XBqCnhv50A=
-----END CERTIFICATE-----"
end

 

  1. Tune configuration for Global.

 

config global 
config certificate local 
 edit "CERTNAME_GLOBAL_character_limit_35"
        set password ENC --omitted--==
        set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIM9lXIOIbdiICAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECMCypU4LU2egBIIEyKoEhpEEmBIj
eP5jHDKfETjZxyV9zDc54rX4ik01dejvmS4jG9G9+lIF6IxZ0AZVQHmJtaHvw2Ys
9QqI85UUpeagFFsqb5l4nohZk6Wv3/jIt6mQBkDASWTIutll9JZk9ISUS24rvw9f
nnhkwIfL3iPPmuNY94KPvYeW4aToiuvSBROW5ElNshthIDmp/a7YGyZ48liU++lu
--omitted-- 
ZueOpkqnyF3MJEhobldPjKxgeb/uqQUwEqQ6gq8PB44Xv+NmqQQ6uEzQAiOkpytQ
93aeRDi9hPQmq4FbZ1FUoa+U8/KOk7/awhItEgK/7s+qr1z6SUX3WnnF7BS1OlPH
FsTwQfGgXbAuGKyyC11i57d+5vGIJx7oUClkfgZj46fIhqde1D6Vfugt2UHm3GRm
FkU3KCGPJBChwSRB9N6yeZrhWCIv+mxqdm19mEZbeyjwclit++Fy14Vx/nficpdL
OkF9L+RKY6TPueY6Ww5bZg==
-----END ENCRYPTED PRIVATE KEY-----"
        set certificate "-----BEGIN CERTIFICATE-----
MIIDSTCCAjGgAwIBAgIIKz8UsnGeyDgwDQYJKoZIhvcNAQELBQAwIjELMAkGA1UE
BhMCQVUxEzARBgNVBAMTCkRDMi1TdWItQ0EwHhcNMjMwMTEwMDAwMDAwWhcNMjgw
MTA5MjM1OTU5WjAfMQswCQYDVQQGEwJBVTEQMA4GA1UEAwwHRkdUX0NMMTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMXm+SfOS5TG2T7hTE2YKu+WWlH3
hvcNAQELBQADggEBAIf50l4pv/MIrXikAMFIM/syzY7YTERv8IOFp0tpxv9QZSTW
--omitted-- 
33B0XNm+Mv7U1t54tCEDa6B35ZCscz1AJYlKyvHMhNMHF2FqHYrd0XgiJCEL1Usv
GWu8yUqaByq+TV+jDvm/DrRxF3ClYdsBkD4BsEwW06SwM5akn8feJ4aHU2CiGTKm
JOgCi79/LmGvHw1h/LlszyfTP7rg9B+1nH8sR7W9xnyUXbW8KCFches4jSdN6e70
iA4UNASYsQHdjFvbLK0TErF8xK0QiCR9Da93ttuZn7gC2ljQNZ1WuDUYONlVNepg
rbWb/RsnHKl229U8CtsYKC6SaMEP6XBqCnhv50A=
-----END CERTIFICATE-----"
end

 

Afterwards, the certificate can be applied to Global
199
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.