From the Web UI, I've generated the CSR (RSA 4096 bits with a password for private key), and submit it to the certificate seller. This one give me the informations to get two .crt files, one for my domain, the second for the Intermediate Certificate. I've imported the two .crt in the Web UI (System/Certificates), and I've found them in "Certificates" and "External CA Certificates". The domain certificate's status was witch the status OK.
But my new domain certificate, was not in the list "Server Certificate" in "VPN/SSL-VPN Settings".
What is bad in my procedure?
Should I import the Root CA Certificate too on the Fortigate?
While the default self-signed certificates can be used for HTTPS connections, it is preferable to use the X.509 server certificate to avoid the redirection as it can be misinterpreted as possible session hijacking. However, the server certificate method is more complex than self-signed security certificates. Also the warning message is typically displayed for the initial connection, and future connections will not generate these messages.
X.509 certificates can be used to authenticate IPsec VPN peers or clients, or SSL VPN clients. When configured to authenticate a VPN peer or client, the FortiGate unit prompts the VPN peer or client to authenticate itself using the X.509 certificate. The certificate supplied by the VPN peer or client must be verifiable using the root CA certificate installed on the FortiGate unit in order for a VPN tunnel to be established."
Is what the online help of one my FGT says about this.
After signing your CSR as what did you import it? Local Cert? CA? ...
Maybe you imported it as the wrong kind (struck me once too ;) ).
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
I've imported the intermediate as CA certificate (shown under "External CA Certificates" on the Web UI interface) and the domain certicate as "Local Certificate" (shown under "Certificates" section on the Web UI).
I've followed, I think (??) the steps given in the "Purchase and Import a Signed SSL Certificate" Fortinet document.
I have a case opened and Fortinet ask me to use a 2048 bits key size and not a 4096 bits. With a new certificate reissued by my CA, the problem is the same.
For the moment, I don't know if there is something wrong (that's the first time I'm using these features), in my operations, or in the certificate's type I've bought.
A clue: I've seen that the current certificate selected "Fortinet_Factory" is the only with no password shown in the command (CLI) "show vpn certificate local ". The other ones with password are not proposed in the interface (Web UI or CLI).
It seems Fortigate doesn't accept too long certificate names. Mine was 21 characters long. Or may be a naming problem. Some of the names of the embedded certificates are long too, and cannot be selected.
My certificate with a shorter name, can be selected no, for web management console, and VPN setting.
Thanks to those who have spent time talking to me about this problem
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.