Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Created on ‎01-13-2011 03:22 PM

Configure the certificates x.509 on FortiGate

which steps i must do to change from a server " vpn ipsec preshared key" to " certificate x.509" ? I read the document in fortinet site, but i don' t understood. Thanks
3080
0 Kudos
2 REPLIES 2
emnoc
Esteemed Contributor III

Created on ‎01-14-2011 06:35 PM

It' s quite easy, but very confusing from the fortinet documents. I personally found, using the cli and using openssl to create both the private-key and a self-signed cert is much easier 1st using openssl create a private-key openssl genrsa -des3 -out priv.key 1024 2nd now generate a self-signed certificate signing request ( aka CSR ) using the above key openssl req -new -key priv.key -out server.csr 3rd signed that csr using your private-key openssl x509 -req -days 365 -in server.csr -signkey priv.key -out myserver.cert Once you have done this, you now have the private-key and cert. These will be copied upto the FGT i.e config vpn cert local edit " mylocal-vpn-cert" set private-key " insert the private-key text and then the cert text information make sure to end with a " end next create a user-peer for distinguishing the remote peer. i.e ( from CLI ) config user peer edit " pfsense-peer" set cn " eumenes.myremote-peer-fw-vpn.net" next end 4th, you will need to copy the remote-peer cert into your configuration using config vpn cert remote, but this time only copy the " certs" information Now create the vpn-phase1 instance and sepicify RSA authenication and authenicated by this peer-only and specify the name within the config user-peer entry for that peer. On the remote VPN, you will provide ONLY your cert and likewise they will provide you there cert and the private-keys stays private Here' s how my configuration looks for a site2site vpn to a pfSense firewall config vpn certificate remote edit " pfsense-chicago" set remote " -----BEGIN CERTIFICATE----- MIIClzCCAgACCQCnfxkTTrECzzANBgkqhkiG9w0BAQUFADCBjzELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAklMMREwDwYDVQQHEwhldmFuc3RvbjEOMAwGA1UEChMFY29z bW8xDzANBgNVBAsTBmhvYmJlczEeMBwGA1UEAxMVZXVtZW5lcy5oeXBlcmZlZWQu bmV0MR8wHQYJKoZIhvcNAQkBFhBrZmVsaXhAaW5hbWUuY29tMB4XDTEwMDkxMTIy MDYyM1oXDTEzMTIyNDIyMDYyM1owgY8xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJ TRxfkAWg2ndPSlRgVmd0JHBFJAdqUPMtcCAwEAATANBgkqhkiG 9w0BAQUFAAOBgQBmkc9AqWKBVL0Qkf8X7sBXCgEtuuaRnq0t3uKGC5PJ7RWN1R0i Atpf2ZU3fLqstH2IOlTYF7NhcIzqCGBZ/dYm5uMhvznKuwKGK44pXk5d8XEN96Dk uhMGZ+fl7ejnW8xttmZ4aVTOrv0GBcE9ZY8npqU1rpQ+8mW1aPJLL1Lx/w== -----END CERTIFICATE-----" next and now my local cert config vpn cert local show full edit " built-openssl" set password ENC 0sk0IFc8Y5y83vLej/5IimL0FBx50e3pGGe9lNMd3nXl2wuqOZ3KU1lFveYpy3QoUONp/f3aZJhqvTUzISvtAOYgwRMX6kY7q89JxRh8KI0oXfIG set comments " Built w/Openssl for site2site vpn fgt & pfsense 08092010" set private-key " -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,30B497D7C8179179 HWpkD7ibtLie5xzKhgy9bXPQ1pcMMWUxKAxq3K9heejZPBuyH4QPQs6OY3kLUXcp aTib6mGQaEEH3WBLZTKz3Ftb1xZGnTfo7H/HvYWI2a2SB5yp+4McHZR/ZC6qAv6E 6/Py1Ypz1wCTZfHEWQX7x6MT+wigI2TPukXS0z90cfhQzNcM5G/SOG2+aprAav8S IKUJxJSctpbJvbvsVbvu73JFZjKuro5bGm46CqJddXBWJ+WFe2zOpUxj5Gj8zi2D cCpTvNwUU0n2J2hPkdQRyAjnAl9a/bkucBE2zoTn4U7XOSjx+TO1bakUm5CIThZL l35WHhIKoWK8x3i49lQKf7kTr5JRjR8Ulb8DLaADuNlDXbRnlD1pmUF4GZIi3Qkl SlV0fybkTFRd886f/Qb4zQHRJcUp55p9khe0vtYSrQIPh2BzMYaE2NmtxKnw39gq Th9o4AzJKcWGN3M1TCB+GTybpwRZLdpmlZHPXIT5khubSOi9OR1q7pgZRbEA3Nf6 67Jq1AwS+UaZtWgpSIxgfrH5cdGdAjE62jnE3jq3b29hRcrvx2X9wsDlqa5lSFbU 8usp0KftCJNTVieszq3FEPc+jKKFHzNfkQIle33RBqQ17fC3CRV7I0sBLrsiolPs ChnQOMhw3oNRuyyoFTCWEyqvBAT9/1LX0De80mUnowraObeEJqnOr21rOuOamghb xZ9NQG9WAEfV0FcVZDVF3mHO2Myj6oSrNNrf5tmOz6O4NYBNXWKoQ8eersxg7cyo SdEfGURHGPAeo1pV6Hf0ql4CM4TB0YhzpLrTCqyZROTfowZPCQhlgQ== -----END RSA PRIVATE KEY-----" set certificate " -----BEGIN CERTIFICATE----- MIICizCCAfQCCQDs8xr+u3XOfzANBgkqhkiG9w0BAQUFADCBiTELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZNYXJpb24xEjAQBgNVBAoTCUh5cGVy ZmVlZDELMAkGA1UECxMCSVQxGjAYBgNVBAMTEXJ1c3R5LmJsb2dkbnMubmV0MR8w N52lBalgs+JTY6ovPNE/nIvmVBxXSNBsGwdffp5Fcv5yDth---------------------------- ------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------ htV6tLdObLlYOF37TTZcvHmZ6H4PxjC1t9U4eq1odx+ZdM6t88xjnbmwUwVKcv70 wASmamfzv1M1cZuscB0XKeHK8TUP7rmVbwoMAXKH1A== -----END CERTIFICATE-----" set scep-url ' ' next and the phase1 cfg edit " pfsense" set type ddns set interface " wan2" set dhgrp 2 set proposal 3des-sha1 set keylife 600 set authmethod rsa-signature set peertype peer set remotegw-ddns " eumenes.hy------.net" set rsa-certificate " built-openssl" set peer " pfsense-peer" set keepalive 300 next Good luck !

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Preview file
21 KB
2643
0 Kudos
Not applicable
In response to emnoc

Created on ‎01-15-2011 07:40 AM

Thank you very much emnoc!!!!
2643
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.