Hello,
I just wondering how I can export certificate as PEM or PFX/P12.
I need it because without the private key i can not use certificate based authentication on my iPhone.
Importing only the certificate with root certificates does not allow me to use the certificate for the vpn on my iPhone.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Export it from what format?
The unix/windows openssl is what i would use, it has numerous examples for exporting windows pfx format to CERT and KEY format
e.g
openssl pkcs12 -in webserver.pfx -out webservercertkey.pem
openssl pkcs12 -in webserver.pfx -out webservercer.pem -nokeys
openssl rsa -in webserverkey.pem -aes128 -out justmykey.key
openssl rsa -in webserverkey.pem -out justmykeynopass.key
Than if you want to bundle the two cat webservercer.pem justmykeynopass.key >>bundle.pem
PCNSE
NSE
StrongSwan
OK I found my certificate and private key under::
config vpn certificate local
Now when I try to combine them with openssl I'm getting question about phrase
OpenSSL> pkcs12 -inkey vpn.key -in vpn.cer -export -out vpn_pfx.pfx Loading 'screen' into random state - done Enter pass phrase for vpn.key:
I did not givup any phrase when I was importing certificate into the fortigate
Also no phraase was created while creating csr
When I try to unset password I get en error
#### (vpn) # unset password Certificate 'vpn' is not allowed to unset. Command fail. Return code -14
Any idea?
Q: if this certificate is fortigate why do you need to export to pkc12 format?
But back to your question, all pkcs12 format needs a "passphrase", It can be 1 2 3 or more characters
e.g
SOCKET01>openssl pkcs12 -inkey fgt.key -in fgt.crt -export -out fgt.p12
Enter Export Password:
Verifying - Enter Export Password:
SOCKET01>openssl pkcs12 -inkey fgt.key -in fgt.crt -export -out fgt.p12
Enter Export Password:
Verifying - Enter Export Password:
SOCKET01>ls -ltr
total 24
-rw-r--r-- 1 kfelix staff 1679 Dec 21 20:14 fgt.key
-rw-r--r--@ 1 kfelix staff 1920 Dec 21 20:15 fgt.crt
-rw-r--r-- 1 kfelix staff 2981 Dec 21 20:16 fgt.p12
SOCKET01>openssl pkcs12 -in fgt.p12
Enter Import Password:
MAC verified OK
You will be challenge for the passphrase if you ever want to read it back or import it let's say into a window host. pfx and pkcs12 are the same outside of the extension but both requires a passphrase. pox is the default for windows and pkcs12 is the proper name started back from ns-enterprise-server
In your case the vpn.key proper has a passphrase. Cat or More th vp.key file. Does it have lines that saves the encryption type and enc?
if yes, than it's encrypted and has a passphrase. YOU WILL NEED TO KNOW IT
e.g
SOCKET01>cat fgtenc.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,23EDBEB6B5FFB73896EFB83CD180EA29
SaU+ALSrwSvrW5zvFPO9HF42QZioWrNkdmruCgknCfQsiaS+Kma78M9smhm/DYBc
v3s21cRfhaZNko+OkAPFfiYrAKJ+3nQeYNaRHY1HDVGK6rYQgaxKoR+Fw2Uj9BeS
UkX1OU6djcujVsQmLvoAG1p37gloStQPDvjPYQCcjQB02HoR2xfaEDuwCjtDH4Wf
l2UadY+sw0WDZfrYU/DZUbnEWWUXEg6O0sXmKwcipsc1wLImBjX3x00rG5ehGznj
IzEfcAMSgKAM/6CMDRHjeOBxs1cnHHwY89VVpIiD6DDPWYSFzjS+1MgVh4HmIMni
PoYqWeacCaCHqw0w9t03zCQy49mvBN14YNcZkQZ9H25RFmtlfkNusvgLnzL+ssky
kLuv71yORgnt3Oe7Sv7jwsCIIJ88uv2SbtQoAv/DiLeY2Eiq84ak8Gwkt394ISOw
Xl8HRuKNGAtUxYn/ZeNhsT5KrbnXzLRxP/ou61V5HR3O2ZnOXcFUxz8tE/rPardE
truQmw06GjY5hiD6JqsZfRQS7YVoLI5B+Hbpogrk+7HHkhSySr3D84QEZ6xYLQmm
+j+BBJKe2SbayiNP1OU3Il8+CeTTBv6bYLxsHLoh8AI6R1txeOg0DtdfgcSohhey
46epgOfuI4z91EjHbK34vfwyvOEzNp8Ie8UsNdLTjOxUKRgR1/ufoTKZFgGyx+wm
iHwF6YrZPpBD3J3p/FIasAw3JO9UmbvA7iYtFZJTsdMvYFiXliSusD5gKCGo3h+j
ngQkGMjcS3PvlXlXWTmhkX1RBO3xng/9lzcRtKRrPAXcZ3RTZBcvOCTnBYpjBp7R
t6KzWxnGibPggSkdJ7N9QrWqRYdn9ulb35tCueZFgIwJoMSNRdWtStVnMSqKwCxm
+GBW78sCbZlMJ6XhJTe96fyaSQPHCgUALLPk2frMdWmjYwyYYm+Zi8yooJse/ZS3
JOobdLVER2KxochGg2q5HR5T8bLYVZHE1mGcPwk+vwXQ2dvSCnu3IpqxdIHNgtSr
/ccSo85GOJD0mNc9cq/AHm+EwzyVxB7jkKQCs9x89buy4kYyLjQ+SaQlYkBLbQ1s
xotdI+xR4+0TfDMk3CKkq9ZbCzbqBEju9EezSIY2Gk/F8RCjyR6bUp9JEDQSAtWC
vN1sk8j4m3X/OLs5Y5tdRByt7weVzVPvgzODttIeOBqENA9r8r9AROWaKu8oclXM
rYlWM9QaWHDh67c9/OqzjI9acoM+E5yiWuVarAXdZMY37B/KtQawZS4eLm5IZxF+
bsJVf3HCrl28nw3so1FS5f12Vtjlg23pBb68og8NNjMWqsozZo5iFVDZwTffrfA9
2BBdWt3GnI7KfV4L7tjWovgkEmV/yXnoA+0U0hQ2oteHdAkY3lVuKqWm6r99fmBW
PAfnqOApWTgQHIbrUIB+WXpnGG7osvNcy73zd/0vWemi2H8Ff62iBcA48CPST5Iw
6pA65RDh/xoyK8p0o8WCUTRC/xRbMgsGkhHPxuWuPqBu4qV8SKRTogJ7n1FnkDC/
DmLB890LU+HNMGjyv4ipwi/7hr3khNHoO3LJxopLdm2vlkLlxBB2lFpHZYbmnKw3
-----END RSA PRIVATE KEY-----
SOCKET01>
The above tells me the privy-key is 1> encrypted 2> using AES128 cipherblockchain
Ken
PCNSE
NSE
StrongSwan
I boght the certificate is to create certificate based ipsec. To do so I created CSR on my Fortigate send it to the CA and they sing it. Then I imported the certificate to my Fortigate. So far so good.
In Windows I can import the certificate in to my personal chain and use it for my vpn. My iPhone is different story.. To be able to use the certificate on my iPhone and create IPsec I need PFX file to install the certificate on my iPhone. When only import the certificate in my iPhone I'm not able too choose is while creating VPN.
At this moment the key file is encrypted an has an passphrase that I don't know. The passpharse is made by the Fortigate because I didn't set it..
Ok the problems seems to be on 5.4 OS. On this release it's not possible to unset password via cli
Whenyou do that you will get above mentioned error..
I did the same on OS 5.2.10 and there I can unset and set a new passwor for teh priveate key..
FortiOS 5.4 does not allow you to export the Key by clearing the encryption passphrase ("unset password" bails).
It is still possible to export certificate and Key in a form to be imported into another FortiGate box, simply by copy&paste the output of "show full-configuration" that includes key, cert and the encrypted passphrase.
I have not found a way to export the Key in a standard format (PKCS#8 or PKCS#12), but i have not invested any time to figure out the secret Fortigate uses to encrypt the password that encrypts the key...
It must be a standard static shared key since you can simply copy&paste the entire block into another fortigate.
agreed and openssl makes all of this so easy. It's also support on every linux/unix and windows.
It's the swiss army knife for certificates imho
PCNSE
NSE
StrongSwan
Created on 11-18-2021 06:34 AM Edited on 11-18-2021 06:42 AM
This is a old discussion, but I tried to move a certificate from one Fortinet device to another and it won't work.
@JPMfgmentioned:
"It is still possible to export certificate and Key in a form to be imported into another FortiGate box, simply by copy&paste the output of "show full-configuration" that includes key, cert and the encrypted passphrase."
I tried it and got error "Failed to decode passwd.", which is actually expected. Think about it, if you can copy a encrypted passphase from one device to another, that means the two device will use same master key to encrypt/decrypt the passphase, that will be really bad.
So I believe there is no way to export a local certificate's private key to another device now (unless you have the passphase). From security point, this is not a bad thing, Fortinet just need to make sure users are aware of this.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.