Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Configure the certificates x.509 on FortiGate

which steps i must do to change from a server " vpn ipsec preshared key" to " certificate x.509" ? I read the document in fortinet site, but i don' t understood. Thanks
2 REPLIES 2
emnoc
Esteemed Contributor III

It' s quite easy, but very confusing from the fortinet documents. I personally found, using the cli and using openssl to create both the private-key and a self-signed cert is much easier 1st using openssl create a private-key openssl genrsa -des3 -out priv.key 1024 2nd now generate a self-signed certificate signing request ( aka CSR ) using the above key openssl req -new -key priv.key -out server.csr 3rd signed that csr using your private-key openssl x509 -req -days 365 -in server.csr -signkey priv.key -out myserver.cert Once you have done this, you now have the private-key and cert. These will be copied upto the FGT i.e config vpn cert local edit " mylocal-vpn-cert" set private-key " insert the private-key text and then the cert text information make sure to end with a " end next create a user-peer for distinguishing the remote peer. i.e ( from CLI ) config user peer edit " pfsense-peer" set cn " eumenes.myremote-peer-fw-vpn.net" next end 4th, you will need to copy the remote-peer cert into your configuration using config vpn cert remote, but this time only copy the " certs" information Now create the vpn-phase1 instance and sepicify RSA authenication and authenicated by this peer-only and specify the name within the config user-peer entry for that peer. On the remote VPN, you will provide ONLY your cert and likewise they will provide you there cert and the private-keys stays private Here' s how my configuration looks for a site2site vpn to a pfSense firewall config vpn certificate remote edit " pfsense-chicago" set remote " -----BEGIN CERTIFICATE----- MIIClzCCAgACCQCnfxkTTrECzzANBgkqhkiG9w0BAQUFADCBjzELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAklMMREwDwYDVQQHEwhldmFuc3RvbjEOMAwGA1UEChMFY29z bW8xDzANBgNVBAsTBmhvYmJlczEeMBwGA1UEAxMVZXVtZW5lcy5oeXBlcmZlZWQu bmV0MR8wHQYJKoZIhvcNAQkBFhBrZmVsaXhAaW5hbWUuY29tMB4XDTEwMDkxMTIy MDYyM1oXDTEzMTIyNDIyMDYyM1owgY8xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJ TRxfkAWg2ndPSlRgVmd0JHBFJAdqUPMtcCAwEAATANBgkqhkiG 9w0BAQUFAAOBgQBmkc9AqWKBVL0Qkf8X7sBXCgEtuuaRnq0t3uKGC5PJ7RWN1R0i Atpf2ZU3fLqstH2IOlTYF7NhcIzqCGBZ/dYm5uMhvznKuwKGK44pXk5d8XEN96Dk uhMGZ+fl7ejnW8xttmZ4aVTOrv0GBcE9ZY8npqU1rpQ+8mW1aPJLL1Lx/w== -----END CERTIFICATE-----" next and now my local cert config vpn cert local show full edit " built-openssl" set password ENC 0sk0IFc8Y5y83vLej/5IimL0FBx50e3pGGe9lNMd3nXl2wuqOZ3KU1lFveYpy3QoUONp/f3aZJhqvTUzISvtAOYgwRMX6kY7q89JxRh8KI0oXfIG set comments " Built w/Openssl for site2site vpn fgt & pfsense 08092010" set private-key " -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,30B497D7C8179179 HWpkD7ibtLie5xzKhgy9bXPQ1pcMMWUxKAxq3K9heejZPBuyH4QPQs6OY3kLUXcp aTib6mGQaEEH3WBLZTKz3Ftb1xZGnTfo7H/HvYWI2a2SB5yp+4McHZR/ZC6qAv6E 6/Py1Ypz1wCTZfHEWQX7x6MT+wigI2TPukXS0z90cfhQzNcM5G/SOG2+aprAav8S IKUJxJSctpbJvbvsVbvu73JFZjKuro5bGm46CqJddXBWJ+WFe2zOpUxj5Gj8zi2D cCpTvNwUU0n2J2hPkdQRyAjnAl9a/bkucBE2zoTn4U7XOSjx+TO1bakUm5CIThZL l35WHhIKoWK8x3i49lQKf7kTr5JRjR8Ulb8DLaADuNlDXbRnlD1pmUF4GZIi3Qkl SlV0fybkTFRd886f/Qb4zQHRJcUp55p9khe0vtYSrQIPh2BzMYaE2NmtxKnw39gq Th9o4AzJKcWGN3M1TCB+GTybpwRZLdpmlZHPXIT5khubSOi9OR1q7pgZRbEA3Nf6 67Jq1AwS+UaZtWgpSIxgfrH5cdGdAjE62jnE3jq3b29hRcrvx2X9wsDlqa5lSFbU 8usp0KftCJNTVieszq3FEPc+jKKFHzNfkQIle33RBqQ17fC3CRV7I0sBLrsiolPs ChnQOMhw3oNRuyyoFTCWEyqvBAT9/1LX0De80mUnowraObeEJqnOr21rOuOamghb xZ9NQG9WAEfV0FcVZDVF3mHO2Myj6oSrNNrf5tmOz6O4NYBNXWKoQ8eersxg7cyo SdEfGURHGPAeo1pV6Hf0ql4CM4TB0YhzpLrTCqyZROTfowZPCQhlgQ== -----END RSA PRIVATE KEY-----" set certificate " -----BEGIN CERTIFICATE----- MIICizCCAfQCCQDs8xr+u3XOfzANBgkqhkiG9w0BAQUFADCBiTELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZNYXJpb24xEjAQBgNVBAoTCUh5cGVy ZmVlZDELMAkGA1UECxMCSVQxGjAYBgNVBAMTEXJ1c3R5LmJsb2dkbnMubmV0MR8w N52lBalgs+JTY6ovPNE/nIvmVBxXSNBsGwdffp5Fcv5yDth---------------------------- ------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------ htV6tLdObLlYOF37TTZcvHmZ6H4PxjC1t9U4eq1odx+ZdM6t88xjnbmwUwVKcv70 wASmamfzv1M1cZuscB0XKeHK8TUP7rmVbwoMAXKH1A== -----END CERTIFICATE-----" set scep-url ' ' next and the phase1 cfg edit " pfsense" set type ddns set interface " wan2" set dhgrp 2 set proposal 3des-sha1 set keylife 600 set authmethod rsa-signature set peertype peer set remotegw-ddns " eumenes.hy------.net" set rsa-certificate " built-openssl" set peer " pfsense-peer" set keepalive 300 next Good luck !

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Not applicable

Thank you very much emnoc!!!!
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors