Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jm75
New Contributor

Problem with SSL certificate package from a CA

Hello,

 

I'm using Forti OS 5.6.3 on a Fortigate 200D.

 

I've bought domain SSL certificate. I've followed the (old) procedure https://docs.fortinet.com/d/fortigate-how-to-purchase-and-import-a-signed-ssl-certificate ("Purchase and Import a signed SSL Certificate").

From the Web UI, I've generated the CSR (RSA 4096 bits with a password for private key), and submit it to the certificate seller. This one give me the informations to get two .crt files, one for my domain, the second for the Intermediate Certificate. I've imported the two .crt in the Web UI (System/Certificates), and I've found them in "Certificates" and "External CA Certificates". The domain certificate's status was witch the status OK.

But my new domain certificate, was not in the list "Server Certificate" in "VPN/SSL-VPN Settings".

 

What is bad in my procedure?

Should I import the Root CA Certificate too on the Fortigate?

 

Thanks for your help.

 

JM

 

 

 

 

 

8 REPLIES 8
emnoc
Esteemed Contributor III

Did you do this from the Web GUI? You might need to  copy/paste the cert via cli 

 

config vpn certificate local  { irrc }

 

 Once the crt file is matched to the   certificate, you can select it for the vpn-services.

 

Ken 

PCNSE 

NSE 

StrongSwan  

jm75
New Contributor

Hello,

Thanks.

 

I've used the CLI for import the domain certificate (and Web UI for the Intermediate CA Certificate).

The status certificate have changed from Pending to OK.

 

I've tried to use these commands:

config vpn ssl settings

unset servercert

set servcert + Key Tab

Only the current certificate is shown (Fortinet_Factory, and not the other ones)

And if use the "sert servcert Fortinet_SSL_Portail", ("Fortinet_SSL_Portail" is our domain certificate) the command fails (return code -3)

 

Is there something special with FortiOs 5.6.3?

 

JM

sw2090
Honored Contributor

I'd assume you have the wrong certificate type.

For SSL VPN you will need a certificate capable of signing.

For SSL Inspection you will need a sub ca certificate even.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

jm75
New Contributor

Thanks sw2090.

In the details of the new certificate I see:

X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication

I suppose it's good for SSL VPN ?

 

Jm

sw2090
Honored Contributor

"

While the default self-signed certificates can be used for HTTPS connections, it is preferable to use the X.509 server certificate to avoid the redirection as it can be misinterpreted as possible session hijacking. However, the server certificate method is more complex than self-signed security certificates. Also the warning message is typically displayed for the initial connection, and future connections will not generate these messages.

X.509 certificates can be used to authenticate IPsec VPN peers or clients, or SSL VPN clients. When configured to authenticate a VPN peer or client, the FortiGate unit prompts the VPN peer or client to authenticate itself using the X.509 certificate. The certificate supplied by the VPN peer or client must be verifiable using the root CA certificate installed on the FortiGate unit in order for a VPN tunnel to be established."

 

Is what the online help of one my FGT says about this.

After signing your CSR as what did you import it? Local Cert? CA? ...

Maybe you imported it as the wrong kind (struck me once too ;) ).


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

jm75
New Contributor

Hi,

I've imported the intermediate as CA certificate (shown under "External CA Certificates" on the Web UI interface) and the domain certicate as "Local Certificate" (shown under "Certificates" section on the Web UI).

I've followed, I think (??) the steps given in the "Purchase and Import a Signed SSL Certificate" Fortinet document.

I have a case opened and Fortinet ask me to use a 2048 bits key size and not a 4096 bits. With a new certificate reissued by my CA, the problem is the same.

For the moment, I don't know if there is something wrong (that's the first time I'm using these features), in my operations, or in the certificate's type I've bought.

 

Jm

jm75
New Contributor

Hello,

 

A clue: I've seen that the current certificate selected "Fortinet_Factory" is the only with no password shown in the command (CLI) "show vpn certificate local ".  The other ones  with password are not proposed in the interface (Web UI or CLI).

???

 

Jm

jm75
New Contributor

It seems Fortigate doesn't accept too long certificate names. Mine was 21 characters long. Or may be a naming problem. Some of the names of the embedded certificates are long too, and cannot be selected.

My certificate with a shorter name, can be selected no, for web management console, and VPN setting.

 

Thanks to those who have spent time talking to me about this problem

 

Jm