Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
asrour
Staff
Staff

Created on ‎08-08-2024 09:27 AM Edited on ‎01-21-2026 04:15 AM By Community Manager

Article Id 331616

Technical Tip: Import PFX certificate to FortiManager/FortiAnalyzer via the CLI

Description

This article describes how to import a PFX certificate to FortiManager/FortiAnalyzer via the CLI.

PEM and PFX (also known as PKCS #12) are both formats of X.509 Certificate. If the error 'importing local certificate failed. It might already exist' is received, it is possible to use the CLI rather than the GUI to resolve it.

 

Screenshot 2026-01-06 132454.png
Scope

FortiManager/FortiAnalyzer.
Solution

To upload an SSL Certificate to FortiManager/FortiAnalyzer via the CLI, it must be in the PEM format.

  1. If the cert is in PFX, convert the PFX to PEM using any third-party tool. In this example, SSL shopper is used.

Upload the PFX certificate to the online tool and enter its password, then select convert.

The PEM certificate will be downloaded. In this example, the downloaded file will be test-certificate.pem.

 

  1. 'Right-click' the .pem file and open it using a text editor such as Notepad.

     

  2. The text editor will open the file as below:

 

2.png

 

  1. Copy the first paragraph from the start of where it says '-----BEGIN PRIVATE KEY-----' until the end of where it says '-------END ENCRYPTED PRIVATE KEY----- '.

     

  2. Copy the second paragraph, which is the certificate, from the start of where it says '-----BEGIN CERTIFICATE-----' until the end of where it says '-----END CERTIFICATE-----'.

     

  3. Ignore the third paragraph (which is the CA Bundle File) and the other text in the file.

     

  4. Log in to the FortiManager or FortiAnalyzer or connect via SSH.

     

  5. In the CLI console:

     

config system certificate local  <- Note that in this case, a local certificate is being uploaded. Use the same method for other certificate types, but change 'local' to the corresponding type.

    edit “test-certificate”   <- Give a name to the cert.

        set private-key  paste the first paragraph

        set certificate  paste the second paragraph

end

 

  1. The certificate is saved in the FortiManager/FortiAnalyzer under System Settings -> Certificates and is ready to be used.

 

3.png

 

Related articles:

Technical Tip: How to upload and set local certificate to be used in FortiManager/FortiAnalyzer

Technical Tip: Using an externally signed local certificate for OFTP connection

Technical Tip: How to import an SSL certificate as a local certificate

Technical Tip: How to configure FortiManager to use custom certificate for HA communication

Technical Tip: How to Convert a PKCS#12 Certificate to Legacy Format for FortiManager/FortiAnalyzer

Technical Tip: Import PFX certificate to FortiManager/FortiAnalyzer via the CLI
2697
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.