FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vrajendran
Staff
Staff
Description
This procedure describes how to export a local certificate from a FortiGate with its private key and re-import it in another FortiGate.

Solution
1) Save the private key from CLI.

1.1) Go to the CLI menu '# config vpn certificate local'.
1.2) Type '# show full',  and for the given certificate, look for the line starting with < set private-key '-----BEGIN RSA PRIVATE KEY-----"'>.
1.3) Copy the text from  -----BEGIN RSA PRIVATE KEY-----  up to -----END RSA PRIVATE KEY-----  and save it to a file.
1.4) Make sure to exclude any special characters such as for example.
1.5) Example is provided at the end of this article

2) Set a password for the certificate.

2.1) Go to the CLI menu '# config vpn certificate local'.
2.2) Edit the given certificate and set a password ( set password <password>).

3) Export the certificate from GUI.

3.1) Go to Global -> Certificates -> Local Certificates.
3.2) Select the certificate to export and select 'Download'.
3.3) This will provide a .cer file, such as for example 'Cert_chain1.cer'.

4) Re-import it on another FortiGate from GUI.

4.1) Go to Global -> Certificates -> Local Certificates.
4.2) Select Import -> "Certificate.
4.3) In the appropriate fields, select the files saved in step1 and step2, and provide the password from step2.
4.4) Verify from the menu Global -> Certificates -> Local Certificates that the certificate is present.

Example of private key file.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,21F46CF768868B66

Zw+r9xa1L6r79qbsLnpk7o8Dj99fsdfsdfdYRFvPUhzC0ORelfcPzwrvDoyRQJKJ
QSfAIQ5lwaWsJoWw9e8O1nl8asdwesu4ui0u4LA2l7G6iJPyGy+QMZ2srA32p4iv

[trunkated]

bsLnpk7o8Dj99fjsJywFdYRFvPUhzC0ORelfcPzwrvDoyRQJKJfsf9sfsdfsfsfs
QSfAIQ5lwaWsJoWw9e8O1nl8o+EpYDu4ui0u4LA2l7G6iJPyGy+QMZ2srA32p4iv
-----END RSA PRIVATE KEY-----

Contributors