Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Michel_Schuurman
New Contributor

Convert .cer certificate

Can someone help me out on this?

 

Got a mail from our certificate supplier about SHA1 certificates being phased out. 

 

They supplied us with a new certificate which replaces the old one. 

However this certificate is only available in .cer-format and is being sent together with just the CA certificate and the intermediate certificate.

 

When I try to import the certificate into the Fortimail unit, the response says: "Certificate upload: importing the CSR response failed". I get that because no CSR was created.

 

Question: How can I replace an existing certificate in the FortiMail with the new one which is in .cer-format only?

2 Solutions
Bromont_FTNT
Staff
Staff

 

Did they send you a replacement cert based on the original CSR from the Fortimail? If a CSR was generated on the Fortimail and a corresponding certificate was already imported then the Fortimail won't be expecting a new one.

 

What you can do is grab the private key from the CLI and save it as a file...

#config system certificate local

#edit <your cert name>

#unset password

#show

 

Now copy everything between and including -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- 

save as a .key file

Now import your new certificate and the private key into the Fortimail as type "certificate"

 

Set a new private key password.

 

View solution in original post

Bromont_FTNT

Unsetting the password won't affect the current certificate operation.  Forgot to mention that the new certificate will need to be activated by going to System ---> Certificate, select the new certificate and then "Set Status", this would restart the web server daemon for the new cert to take effect.

View solution in original post

6 REPLIES 6
Bromont_FTNT
Staff
Staff

 

Did they send you a replacement cert based on the original CSR from the Fortimail? If a CSR was generated on the Fortimail and a corresponding certificate was already imported then the Fortimail won't be expecting a new one.

 

What you can do is grab the private key from the CLI and save it as a file...

#config system certificate local

#edit <your cert name>

#unset password

#show

 

Now copy everything between and including -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- 

save as a .key file

Now import your new certificate and the private key into the Fortimail as type "certificate"

 

Set a new private key password.

 

Michel_Schuurman

Thanks for your response.

 

Yes they did, they re-issued the cerificate based on the 'old' CSR. 

 

Will 'unsetting' the password in any way compromise the functioning of the current certificate?

 

I.e.: Can I do this without issues during these actions?

Bromont_FTNT

Unsetting the password won't affect the current certificate operation.  Forgot to mention that the new certificate will need to be activated by going to System ---> Certificate, select the new certificate and then "Set Status", this would restart the web server daemon for the new cert to take effect.

Michel_Schuurman

Thanks, a whole lot, for your help, worked like a charm!!!

emnoc
Esteemed Contributor III

OP

Curious , 

 

" did they say why SHA1 was being phase out and how long did the enable you  cert for ? "

 

   and

 

" was the original key a 1K bit size and what size are you using now ? ( 2K bits I would hope ) "

 

But what the other gentlemen said is 100% correct, that's why you should always securely store the priv-key.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Michel_Schuurman

Since the cert use is valid up to 2018 we were advised to replace it for a SHA2 version. 

Keysize is 2K indeed.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors