From installed certificate on my Fortigate. I created csr on the Fortigate to buy an certificate. Now once certificate installed I want to export to PEM or PFX/P12.

OK I found my certificate and private key under::

 

config vpn certificate local

 

Now when I try to combine them with openssl I'm getting question about phrase

 

 

OpenSSL> pkcs12 -inkey vpn.key -in vpn.cer -export -out vpn_pfx.pfx Loading 'screen' into random state - done Enter pass phrase for vpn.key:

 

I did not givup any phrase when I was importing certificate into the fortigate

Also no phraase was created while creating csr

 

When I try to unset password I get en error

 

#### (vpn) # unset password Certificate 'vpn' is not allowed to unset. Command fail. Return code -14

 

Any idea?

 

Q: if this certificate is  fortigate why do you need to export  to pkc12 format?

 

But back to your question, all pkcs12 format needs a "passphrase", It can be 1 2 3 or more characters

 

e.g

 

SOCKET01>openssl pkcs12 -inkey fgt.key -in fgt.crt -export -out fgt.p12

Enter Export Password:

Verifying - Enter Export Password:

SOCKET01>openssl pkcs12 -inkey fgt.key -in fgt.crt -export -out fgt.p12

Enter Export Password:

Verifying - Enter Export Password:

SOCKET01>ls -ltr 

total 24

-rw-r--r--  1 kfelix  staff  1679 Dec 21 20:14 fgt.key

-rw-r--r--@ 1 kfelix  staff  1920 Dec 21 20:15 fgt.crt

-rw-r--r--  1 kfelix  staff  2981 Dec 21 20:16 fgt.p12

SOCKET01>openssl pkcs12 -in fgt.p12

Enter Import Password:

MAC verified OK

 

 

You will be challenge for the passphrase if you ever want to read it back or import it let's say into a window host. pfx and pkcs12 are the same outside of the extension but both requires a passphrase. pox is the default for windows and  pkcs12 is the proper name started back from ns-enterprise-server 

 

In your case the  vpn.key proper has a  passphrase. Cat or More th vp.key file. Does it have lines that saves the encryption type  and enc?

 

if yes, than it's encrypted and has a passphrase. YOU WILL NEED TO KNOW IT

 

 

e.g

 

SOCKET01>cat fgtenc.key 

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: AES-128-CBC,23EDBEB6B5FFB73896EFB83CD180EA29

 

SaU+ALSrwSvrW5zvFPO9HF42QZioWrNkdmruCgknCfQsiaS+Kma78M9smhm/DYBc

v3s21cRfhaZNko+OkAPFfiYrAKJ+3nQeYNaRHY1HDVGK6rYQgaxKoR+Fw2Uj9BeS

UkX1OU6djcujVsQmLvoAG1p37gloStQPDvjPYQCcjQB02HoR2xfaEDuwCjtDH4Wf

l2UadY+sw0WDZfrYU/DZUbnEWWUXEg6O0sXmKwcipsc1wLImBjX3x00rG5ehGznj

IzEfcAMSgKAM/6CMDRHjeOBxs1cnHHwY89VVpIiD6DDPWYSFzjS+1MgVh4HmIMni

PoYqWeacCaCHqw0w9t03zCQy49mvBN14YNcZkQZ9H25RFmtlfkNusvgLnzL+ssky

kLuv71yORgnt3Oe7Sv7jwsCIIJ88uv2SbtQoAv/DiLeY2Eiq84ak8Gwkt394ISOw

Xl8HRuKNGAtUxYn/ZeNhsT5KrbnXzLRxP/ou61V5HR3O2ZnOXcFUxz8tE/rPardE

truQmw06GjY5hiD6JqsZfRQS7YVoLI5B+Hbpogrk+7HHkhSySr3D84QEZ6xYLQmm

+j+BBJKe2SbayiNP1OU3Il8+CeTTBv6bYLxsHLoh8AI6R1txeOg0DtdfgcSohhey

46epgOfuI4z91EjHbK34vfwyvOEzNp8Ie8UsNdLTjOxUKRgR1/ufoTKZFgGyx+wm

iHwF6YrZPpBD3J3p/FIasAw3JO9UmbvA7iYtFZJTsdMvYFiXliSusD5gKCGo3h+j

ngQkGMjcS3PvlXlXWTmhkX1RBO3xng/9lzcRtKRrPAXcZ3RTZBcvOCTnBYpjBp7R

t6KzWxnGibPggSkdJ7N9QrWqRYdn9ulb35tCueZFgIwJoMSNRdWtStVnMSqKwCxm

+GBW78sCbZlMJ6XhJTe96fyaSQPHCgUALLPk2frMdWmjYwyYYm+Zi8yooJse/ZS3

JOobdLVER2KxochGg2q5HR5T8bLYVZHE1mGcPwk+vwXQ2dvSCnu3IpqxdIHNgtSr

/ccSo85GOJD0mNc9cq/AHm+EwzyVxB7jkKQCs9x89buy4kYyLjQ+SaQlYkBLbQ1s

xotdI+xR4+0TfDMk3CKkq9ZbCzbqBEju9EezSIY2Gk/F8RCjyR6bUp9JEDQSAtWC

vN1sk8j4m3X/OLs5Y5tdRByt7weVzVPvgzODttIeOBqENA9r8r9AROWaKu8oclXM

rYlWM9QaWHDh67c9/OqzjI9acoM+E5yiWuVarAXdZMY37B/KtQawZS4eLm5IZxF+

bsJVf3HCrl28nw3so1FS5f12Vtjlg23pBb68og8NNjMWqsozZo5iFVDZwTffrfA9

2BBdWt3GnI7KfV4L7tjWovgkEmV/yXnoA+0U0hQ2oteHdAkY3lVuKqWm6r99fmBW

PAfnqOApWTgQHIbrUIB+WXpnGG7osvNcy73zd/0vWemi2H8Ff62iBcA48CPST5Iw

6pA65RDh/xoyK8p0o8WCUTRC/xRbMgsGkhHPxuWuPqBu4qV8SKRTogJ7n1FnkDC/

DmLB890LU+HNMGjyv4ipwi/7hr3khNHoO3LJxopLdm2vlkLlxBB2lFpHZYbmnKw3

-----END RSA PRIVATE KEY-----

SOCKET01>

 

The above  tells me the privy-key is 1> encrypted 2> using AES128 cipherblockchain

 

Ken

 

 

 

 

I boght the certificate is to create certificate based ipsec. To do so I created CSR on my Fortigate send it to the CA and they sing it. Then I imported the certificate to my Fortigate. So far so good.

 

In Windows I can import the certificate in to my personal chain and use it for my vpn. My iPhone is different story.. To be able to use the certificate on my iPhone and create IPsec I need  PFX file to install the certificate on my iPhone. When only import the certificate in my iPhone I'm not able too choose is while creating VPN.

 

At this moment the key file is encrypted an has an passphrase that I don't know. The passpharse is made by the Fortigate because I didn't set it..

 

 

Ok the problems seems to be on 5.4 OS. On this release it's not possible to unset password via cli

Whenyou do that you will get above mentioned error..

 

I did the same on OS 5.2.10 and there I can unset and set a new passwor for teh priveate key..

FortiOS 5.4 does not allow you to export the Key by clearing the encryption passphrase ("unset password" bails).

 

It is still possible to export certificate and Key in a form to be imported into another FortiGate box, simply by copy&paste the output of "show full-configuration" that includes key, cert and the encrypted passphrase.

 

I have not found a way to export the Key in a standard format (PKCS#8 or PKCS#12), but i have not invested any time to figure out the secret Fortigate uses to encrypt the password that encrypts the key...

 

It must be a standard static shared key since you can simply copy&paste the entire block into another fortigate.

agreed and openssl makes all of this so easy. It's also support on every linux/unix and  windows.

 

It's the swiss army knife for  certificates imho

 

This is a old discussion, but I tried to move a certificate from one Fortinet device to another and it won't work. 

@JPMfgmentioned:

"It is still possible to export certificate and Key in a form to be imported into another FortiGate box, simply by copy&paste the output of "show full-configuration" that includes key, cert and the encrypted passphrase."

 

I tried it and got error "Failed to decode passwd.", which is actually expected.  Think about it, if you can copy a encrypted passphase from one device to another, that means the two device will use same master key to encrypt/decrypt the passphase, that will be really bad.

 

So I believe there is no way to export a local certificate's private key to another device now (unless you have the passphase). From security point, this is not a bad thing, Fortinet just need to make sure users are aware of this.