Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lbusby
New Contributor

Replacing Default Certificate

Hi All. I apologize if this has been asked. I tried the KB but did not see this exact thread.

So I would like to replace the default certificate on the Fortigate since it is considered best practice.

Right now, we do not use the SSL VPN, only for Administration and only on the LAN. So I cannot get a cert from a public CA because the Fortinet is not resolving externally. How have others went about replacing the cert? Use AD cert? Thanks.

1 Solution
lobstercreed
Valued Contributor

We use a public wildcard certificate.  *.<mydomain>.com As long as the management interface is given an internally resolvable DNS name that matches that prefix, any cert warnings go away.  We do this for many of our internal systems.

 

Certainly an AD-based CA would work as well, but our sysadmin doesn't know how to make it work for non-AD cert requests so this is easier even if slightly more expensive.

View solution in original post

4 REPLIES 4
lobstercreed
Valued Contributor

We use a public wildcard certificate.  *.<mydomain>.com As long as the management interface is given an internally resolvable DNS name that matches that prefix, any cert warnings go away.  We do this for many of our internal systems.

 

Certainly an AD-based CA would work as well, but our sysadmin doesn't know how to make it work for non-AD cert requests so this is easier even if slightly more expensive.

lbusby

I was able to get this to work using an AD Certificate. I used the premise of this article here, but of course, it is a little different for the Fortigate 

Steps in General:

 

1.)    On Fortigate, go to System, Certificates. Check that there is a valid CA Cert for the CA Authority listed under Remote CA Certificates. If not, you need export the CA from the AD CA, and then import it. To export, right click on the CA, and select Properties, then View certificate.  Select View Certificate, Details, and then save to file. Go to the Fortigate and select Import, CA Certificate. You should then see it under Remote CA Certificates.

2.)    Generate a CSR for the Fortigate – hit Generate, and complete the fields using IP as the subject identifier. Under Subject Alternative Name enter IP:x.x.x.x – complete the rest of the fields. You should now see an entry for that IP under Local Certificates. Click the option to download. For a private key, make sure you enter a long passphrase and save it somewhere secure.

3.)    On the server hosing the Certificate Authority, make sure what web enrollment is installed and running.  Go to a server other than the one hosting the CA Authority and go to - enter credentials if prompted. (If you have issues here, you may want to check the settings under IIS for CertSrv Authentication) I had to temporarily enable NTLM and disable Advanced Settings, Extended Protection)

 

5.)    Click Request a Certificate, and then Submit an Advanced Certificate Request. Select “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.” Open the CSR file you downloaded from the Fortigate with Notepad and copy and paste into the request field. For a template, select Web Server. Hit submit, then download in Base64.

6.)    On Fortigate, go to System, Certificates. Select Import, Local Certificate, Upload. You should now see the certificate completed under Local Certificate.

7.)    Navigate to Settings, and under Administration Settings, change HTTPS Server Certificate to the certificate you just uploaded. Close the browser and open it back up. If all works, you should no longer get a certificate warning.

 

 

NOTE: During this process I found my CA was still issuing SHA1 certificates. In order to get any browser to see my AD certificate as valid, I had to upgrade my CA to use SHA256. So if you go through these steps and it stills says invalid cert, you may want to just check you hash algorithm. 

lbusby

I was able to get this to work using an AD Certificate. I used the premise of this article here, but of course, it is a little different for the Fortigate.

Steps in General:

 

1.)    On Fortigate, go to System, Certificates. Check that there is a valid CA Cert for the CA Authority listed under Remote CA Certificates. If not, you need export the CA from the AD CA, and then import it. To export, right click on the CA, and select Properties, then View certificate.  Select View Certificate, Details, and then save to file. Go to the Fortigate and select Import, CA Certificate. You should then see it under Remote CA Certificates.

2.)    Generate a CSR for the Fortigate – hit Generate, and complete the fields using IP as the subject identifier. Under Subject Alternative Name enter IP:x.x.x.x – complete the rest of the fields. You should now see an entry for that IP under Local Certificates. Click the option to download. For a private key, make sure you enter a long passphrase and save it somewhere secure.

3.)    On the server hosing the Certificate Authority, make sure what web enrollment is installed and running.  Go to a server other than the one hosting the CA Authority and go to - enter credentials if prompted. (If you have issues here, you may want to check the settings under IIS for CertSrv Authentication) I had to temporarily enable NTLM and disable Advanced Settings, Extended Protection)

 

5.)    Click Request a Certificate, and then Submit an Advanced Certificate Request. Select “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.” Open the CSR file you downloaded from the Fortigate with Notepad and copy and paste into the request field. For a template, select Web Server. Hit submit, then download in Base64.

6.)    On Fortigate, go to System, Certificates. Select Import, Local Certificate, Upload. You should now see the certificate completed under Local Certificate.

7.)    Navigate to Settings, and under Administration Settings, change HTTPS Server Certificate to the certificate you just uploaded. Close the browser and open it back up. If all works, you should no longer get a certificate warning.

 

 

NOTE: During this process I found my CA was still issuing SHA1 certificates. In order to get any browser to see my AD certificate as valid, I had to upgrade my CA to use SHA256. So if you go through these steps and it stills says invalid cert, you may want to just check you hash algorithm. 

bhuo
New Contributor II

Hey ibusby

 

Self-signed cert should be fine as long as you install the private CA to fortigate remote CA vault prior.

However you will need to ensure all your end users have this CA installed on their PC, so the chain of trust can be performed accordingly.

 

Thanks,

 

BH