It' s quite easy, but very confusing from the fortinet documents. I personally found, using the cli and using openssl to create both the private-key and a self-signed cert is much easier
1st using openssl create a private-key
openssl genrsa -des3 -out priv.key 1024
2nd now generate a self-signed certificate signing request ( aka CSR ) using the above key
openssl req -new -key priv.key -out server.csr
3rd signed that csr using your private-key
openssl x509 -req -days 365 -in server.csr -signkey priv.key -out myserver.cert
Once you have done this, you now have the private-key and cert. These will be copied upto the FGT
i.e
config vpn cert local
edit " mylocal-vpn-cert"
set private-key "
insert the private-key text and then the cert text information
make sure to end with a "
end
next create a user-peer for distinguishing the remote peer.
i.e ( from CLI )
config user peer
edit " pfsense-peer"
set cn " eumenes.myremote-peer-fw-vpn.net"
next
end
4th, you will need to copy the remote-peer cert into your configuration using
config vpn cert remote, but this time only copy the " certs" information
Now create the vpn-phase1 instance and sepicify RSA authenication and authenicated by this peer-only and specify the name within the config user-peer entry for that peer.
On the remote VPN, you will provide ONLY your cert and likewise they will provide you there cert and the private-keys stays
private
Here' s how my configuration looks for a site2site vpn to a pfSense firewall
config vpn certificate remote
edit " pfsense-chicago"
set remote " -----BEGIN CERTIFICATE-----
MIIClzCCAgACCQCnfxkTTrECzzANBgkqhkiG9w0BAQUFADCBjzELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAklMMREwDwYDVQQHEwhldmFuc3RvbjEOMAwGA1UEChMFY29z
bW8xDzANBgNVBAsTBmhvYmJlczEeMBwGA1UEAxMVZXVtZW5lcy5oeXBlcmZlZWQu
bmV0MR8wHQYJKoZIhvcNAQkBFhBrZmVsaXhAaW5hbWUuY29tMB4XDTEwMDkxMTIy
MDYyM1oXDTEzMTIyNDIyMDYyM1owgY8xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJ
TRxfkAWg2ndPSlRgVmd0JHBFJAdqUPMtcCAwEAATANBgkqhkiG
9w0BAQUFAAOBgQBmkc9AqWKBVL0Qkf8X7sBXCgEtuuaRnq0t3uKGC5PJ7RWN1R0i
Atpf2ZU3fLqstH2IOlTYF7NhcIzqCGBZ/dYm5uMhvznKuwKGK44pXk5d8XEN96Dk
uhMGZ+fl7ejnW8xttmZ4aVTOrv0GBcE9ZY8npqU1rpQ+8mW1aPJLL1Lx/w==
-----END CERTIFICATE-----"
next
and now my local cert
config vpn cert local
show full
edit " built-openssl"
set password ENC 0sk0IFc8Y5y83vLej/5IimL0FBx50e3pGGe9lNMd3nXl2wuqOZ3KU1lFveYpy3QoUONp/f3aZJhqvTUzISvtAOYgwRMX6kY7q89JxRh8KI0oXfIG
set comments " Built w/Openssl for site2site vpn fgt & pfsense
08092010"
set private-key " -----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,30B497D7C8179179
HWpkD7ibtLie5xzKhgy9bXPQ1pcMMWUxKAxq3K9heejZPBuyH4QPQs6OY3kLUXcp
aTib6mGQaEEH3WBLZTKz3Ftb1xZGnTfo7H/HvYWI2a2SB5yp+4McHZR/ZC6qAv6E
6/Py1Ypz1wCTZfHEWQX7x6MT+wigI2TPukXS0z90cfhQzNcM5G/SOG2+aprAav8S
IKUJxJSctpbJvbvsVbvu73JFZjKuro5bGm46CqJddXBWJ+WFe2zOpUxj5Gj8zi2D
cCpTvNwUU0n2J2hPkdQRyAjnAl9a/bkucBE2zoTn4U7XOSjx+TO1bakUm5CIThZL
l35WHhIKoWK8x3i49lQKf7kTr5JRjR8Ulb8DLaADuNlDXbRnlD1pmUF4GZIi3Qkl
SlV0fybkTFRd886f/Qb4zQHRJcUp55p9khe0vtYSrQIPh2BzMYaE2NmtxKnw39gq
Th9o4AzJKcWGN3M1TCB+GTybpwRZLdpmlZHPXIT5khubSOi9OR1q7pgZRbEA3Nf6
67Jq1AwS+UaZtWgpSIxgfrH5cdGdAjE62jnE3jq3b29hRcrvx2X9wsDlqa5lSFbU
8usp0KftCJNTVieszq3FEPc+jKKFHzNfkQIle33RBqQ17fC3CRV7I0sBLrsiolPs
ChnQOMhw3oNRuyyoFTCWEyqvBAT9/1LX0De80mUnowraObeEJqnOr21rOuOamghb
xZ9NQG9WAEfV0FcVZDVF3mHO2Myj6oSrNNrf5tmOz6O4NYBNXWKoQ8eersxg7cyo
SdEfGURHGPAeo1pV6Hf0ql4CM4TB0YhzpLrTCqyZROTfowZPCQhlgQ==
-----END RSA PRIVATE KEY-----"
set certificate " -----BEGIN CERTIFICATE-----
MIICizCCAfQCCQDs8xr+u3XOfzANBgkqhkiG9w0BAQUFADCBiTELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZNYXJpb24xEjAQBgNVBAoTCUh5cGVy
ZmVlZDELMAkGA1UECxMCSVQxGjAYBgNVBAMTEXJ1c3R5LmJsb2dkbnMubmV0MR8w
N52lBalgs+JTY6ovPNE/nIvmVBxXSNBsGwdffp5Fcv5yDth----------------------------
------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------
htV6tLdObLlYOF37TTZcvHmZ6H4PxjC1t9U4eq1odx+ZdM6t88xjnbmwUwVKcv70
wASmamfzv1M1cZuscB0XKeHK8TUP7rmVbwoMAXKH1A==
-----END CERTIFICATE-----"
set scep-url ' '
next
and the phase1 cfg
edit " pfsense"
set type ddns
set interface " wan2"
set dhgrp 2
set proposal 3des-sha1
set keylife 600
set authmethod rsa-signature
set peertype peer
set remotegw-ddns " eumenes.hy------.net"
set rsa-certificate " built-openssl"
set peer " pfsense-peer"
set keepalive 300
next
Good luck !