Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jmacdonaldplante
Staff
Staff

Created on ‎05-14-2015 01:04 PM Edited on ‎11-22-2022 03:09 AM By Community Manager

Article Id 192446

Technical Tip: Moving or copying a Certificate and its Private Key to another FortiGate or FortiWiFi

Description

 
This article describes that there may be scenarios where a Certificate and its Private Key is needed on multiple FortiGate/FortiWifi Appliances and/or virtual machines.

The steps to follow will typically work between different firmware, but it is recommended that both units be on the same firmware release version.

No special tools are required beyond CLI access to the appliance.

 

Scope

 

This article is no longer applicable in modern firmware versions. The process below is not available since version 6.0. (private key passwords are not recoverable).


Solution

 

Moving Certificates from one FortiGate/FortiWiFi to another is a simple task of copying the Certificate configuration from one unit to the other.

On the original unit, perform the following:

edit "Fortinet_CA_SSLProxy"
    set password ENC xbhxFaK5XBgM8swWpprSCYI6SLBe3/AMOn
/Mj7xazDqFENQXjjXPmD4VXYuYN6zks3O36ECCkxX2kmQkEoyBPke9fV0rT08or7vthB9tlN8
> 3WA5SWJ5J9GsKBLg9WdWpDDwVsio7CaVYx24hX2/98jFNkCgQ90PDz8M6CX9ZboQHLemJgX0h88P5EsVrPhtVqT/PEw==

    set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
> MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCgU1YXilYKBW2gag
> [omitted for brevity]
> g5vtXWbV3vM8mWMAou4qAR6X/k+5usIqYzqB67wFEMXsYkQ8vb0
> -----END ENCRYPTED PRIVATE KEY-----"

    set certificate "-----BEGIN CERTIFICATE-----
> MIID2jCCAsKgAwIBAgIEVC8u3jANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMC
> [omitted for brevity]
> WY1CW4nQSamY6of2lmQbjfUKNtuyS56Y3MhhfokI0IPPtEsrVpLu89VHyiCQMKpzRu
> -----END CERTIFICATE-----"

   unset state
set scep-url ''
set source-ip 0.0.0.0
unset ike-localid-type
next
end

From this output, copy the lines and values for:

set password ENC "[hash text]"
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----" [hash text] "-----END ENCRYPTED PRIVATE KEY-----"
set certificate "-----BEGIN CERTIFICATE-----" [hash text] "-----END CERTIFICATE"

On the other FortiGate/FortiWifi perform the following commands (These need to be entered in the order of:
Password, Private-key, Certificate):

# config vpn certificate local
    edit [new_certificate]
       set password ENC "[hash text]"
       set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----" [hash text] "-----END ENCRYPTED PRIVATE KEY-----"
  set certificate "-----BEGIN CERTIFICATE-----" [hash text] "-----END CERTIFICATE"
    end

If no errors are received after entering all commands, including 'end', the certificate should now appear in the GUI menu and be available for uses that require a private key.
5743
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.