FG 400F - FortiOS 7.2.8
I'm trying to export root certificate with password and private key. I tried exporting using TFTP however, I can't export build in certificate off the Fortigate. "built-in certificate 'fortinet_ca_ssl' is not allowed to export".
KBs that I've run through:
Export a certificate | FortiGate / FortiOS 7.2.8 | Fortinet Document Library
Procedure for exporting and re-importing ... - Fortinet Community
Exporting or importing a local server cer... - Fortinet Community
- How can I export the cert in p12/pem format so I can extract the private key and password?
- How can I decrypt the private key and password?
Appreciate your feedbacks. TIA :)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Good day!
Could you explain why exactly you are exporting 'fortinet_ca_ssl' from the firewall? I don't think we can export built-in CA certificate with keys.
Hi @mriswan The reason why is because I would like to integrate it with our Radius ClearPass Policy Manager server for authentication purposes. It requires private key and password to import. We don't have password stored and Fortigate shows the Private key and Password but they're encrypted.
Hello martyyy
You can't obtain private key from a certificate not signed by externals CA. That's the idea indeed, it's private.
what is the requirement you' re trying to fulfil?
regards
/ Abel
Hi @abelio The reason why is because I would like to integrate it with our Radius ClearPass Policy Manager server for authentication purposes. It requires private key and password to import. We don't have password stored and Fortigate shows the Private key and Password but they're encrypted.
Created on 08-28-2024 03:29 PM Edited on 08-28-2024 03:30 PM
If it's for client auth for SSL-VPN or Wifi access authenticated by your RADIUS server with device certificates over like 802.1X EAP-TLS, you can't use any FGT's certificates. Generally it has to be generated on the RADIUS/server side, or more likely generated by a PKI managmeent system incorporating with the RADIUS, and set trust at the RADIUS as well as delivering/pushing/installing the device certificates to each individual client devices. The FGT would just relay the cert the clients provide to the RADIUS server.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1631 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.