Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
kmak
Staff
Staff

Created on ‎01-21-2025 11:17 PM

Article Id 371695

Technical Tip: How to add Subject Alternative Name (SAN) to the existing Let’s Encrypt Certificate in FortiWeb

Description This article describes how to add a Subject Alternative Name (SAN) to the existing Let’s Encrypt Certificate in FortiWeb.
Scope FortiWeb.
Solution

Prerequisite:

  • Domain/FQDN HTTPS/HTTP must be publicly accessible when the type is HTTP-01 or TLS-ALPN.
  • FortiWeb Let’s Encrypt SSL Certificate only supports wildcard subdomains since v7.6.1 and when the type is DNS-01.

 

  1. In FortiWeb, navigate to Server Objects -> Certificates -> Let’s Encrypt, and edit the existing Let’s Encrypt SSL Certificate, there will be no option to add/remove the Subject Alternative Name (SAN).

 

kmak_0-1737519828443.jpeg

 

  1. To add/remove the Let’s Encrypt SSL Certificate SAN, the certificate must be revoked first. The SSL Certificate revocation will fail if the SSL Certificate is used in the Server Policy or SNI Policy.

 

kmak_1-1737519828445.jpeg

 

  1. Schedule a maintenance window to unassign the Let’s Encrypt SSL Certificate from any Server Policy or SNI Policy. In the example, the SNI policy domain SSL certificate is temporarily changed from Let’s Encrypt to Local empty cert.

 

kmak_2-1737519828450.jpeg

 

  1. Back to the Let’s Encrypt Certificate page and revoke the SSL certificate.

 

kmak_3-1737519828452.jpeg

 

  1. The Let’s Encrypt SSL status will be changed to revoked within a minute.

 

kmak_4-1737519828454.jpeg

 

  1. Edit the Let’s Encrypt SSL Certificate now and there will be options to create/edit/delete the Subject Alternative Name.

 

kmak_5-1737519828456.jpeg

 

  1. Add the domain/FQDN to the Let’s Encrypt SSL Certificate SAN member list.

 

kmak_6-1737519828458.jpeg

 

  1. If the Let’s Encrypt SSL Certificate type is HTTP-01, make sure that the domains/FQDN are pointed and assigned correctly to the correct Server Policy and SNI Policy before issuing the SSL certificate. If the the Let’s Encrypt SSL Certificate type is DNS-01, may just proceed to select the Issue icon for the FortiWeb system to obtain the validation TXT records.
kmak_7-1737519828460.jpeg

 

  1. Make sure that the new domain/FQDN is added to the SNI Policy and that it is using the Let’s Encrypt SSL Certificate.

 

kmak_8-1737519828462.jpeg

 

  1. The Let’s Encrypt SSL Certificate will be issued with the additional SAN count if the HTTP-validation or DNS-validation is completed successfully.

 

kmak_9-1737519828464.jpeg

 

  1. Test browsing the domain website with the Let’s Encrypt SSL Certificate installed shall show the SSL Certificate with multiple certificate Subject Alternative Name (SAN).

 

kmak_10-1737519828466.jpeg

 

Related articles:

Technical Tip: How to obtain a Let's Encrypt SSL for a domain in FortiWeb with the True Transparent ...

Technical Tip: How to install Let's Encrypt SSL for version 7.0 and later (Reverse Proxy Mode)
Labels:
401
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.