Description
This article describes how to import a server certificate, including the full CA chain, in FortiPortal.
Scope
FortiPortal.
Solution
- Login to the FortiPortal GUI as the MSP administrator and navigate to Admin (1) -> System Info (2) -> System Info tab (3).
- Under Certificate Information -> Certificate, import the server (or wildcard) certificate including the CA chain in PEM format (4).
- Under Certificate Information -> Private Key, import the corresponding unencrypted private key (5).
- Select the 'Save' button under the private key field (6).
- Reboot FortiPortal to apply the change to the web server.
- Verify that the server is showing the certificate chain correctly. Run the following command from a Linux host with access to the FortiPortal address:
openssl s_client -showcerts -connect <FortiPortalAddress>:443
Optional:
If the issuing authority has provided the server certificate and private key as a password-protected PKCS#12 file, use openssl to export them as separate files with no password (both commands will prompt for the PKCS#12 file password)
openssl pkcs12 -in <YourPKCS12File>.p12 -out <OutputKeyFilePEM>.key -nodes -nocerts
Enter Import Password:
openssl pkcs12 -in <YourPKCS12File>.p12 -out <OutputCertificateFilePEM>.crt -nokey
Enter Import Password:
The usage of the '-nodes' flag in the key export command is necessary to export the private key without setting a new password.
When done, import the two output files using the respective file selectors in the FortiPortal GUI, as described in the steps above.
If the private key is provided by the issuer as a separate encrypted file, use the following OpenSSL command to decrypt the key before importing it in FortiPortal (enter the key password when prompted):
openssl rsa -in <YourEncrypted>.key -out <YourDecrypted>.key
Enter pass phrase for <YourEncrypted>.key:
