Hello Everyone,
This is probably a common issue, but it's kind of urgent.
I configured a CSR from Fortigate to purchase an SSL Certificate.
All good so far, i managed to install the certificate. But i want to use it in other servers, so i need the private key.
Throught CLI, i found the private key but it's encrypted. the commande "unset password" doesnt work apparently in the 5.4 FortiOS.
What are my options ? can i export the certificate/key in another Fortigate (4.0 ?) and try to unset the password ? any other solution ?
Thank's
You need to use the show full command
cli
show full config vpn cert local
It should show the certificate PEM format and KEY. Just copy out the cert+key and use openssl to check modulus if you want to be sure it's correct
e.g
openssl x509 -in <certfile> -noout -modulus | openssl md5
openssl rsa -in <privkeyfile> -noout -modulus | openssl md5
You could also use sha1
openssl x509 -in <certfile> -noout -modulus | openssl sha1
openssl rsa -in <privkeyfile> -noout -modulus | openssl sha1
If the values matches, than cert+key are a matching pair. if you want to build a pfx
openssl pkcs12 -export -in <certfile> -inkey <keyfile> -out mynew.pfx
;)
Ken
PCNSE
NSE
StrongSwan
Thank's for your reply.
When i show the full-conf vpn cert local, i got this (it's not the full syntax, just the preview):
edit "portail alamana"
set password ENC K1GqerTVAukDMIEgsSEYsjD59ziQU766Jue4Em9J7tVWFRh5+CbfA.....
set comments ''
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIlsbBHVI02KACAggA
MBQGCCqGSIb3DQMHBAjvMDKXJmmMEQSCBMhQ0P7hOK2McnBExDGrIJiHdBgfCa6h
dHNKDJUeMIT9nVirYq5+56Nr64SXigPOJIaxEsOaFD05TuJouFWhtmWGqmAI8y8Y
u1dQy9r+8+wrzJs5yrtqupuwMj9/MWtZQSdHTyoDD/DJIT7537vUXAUryZUDnpms
VhLwrQJWixD/piKWoeDWpT6u79lHHRh8kmN3qiaEK8+cYQ15jOCi9/AmOWPAzieJ
--More-- 0MyurtJMGGjNuD+/9zkAcwKMI
The private key is apparently Encrypted. Will it work with Openssl ? even without the decrypted password ?
Hello,
I'm curious if you had ever found a solution to this? I am running into the same issue when trying to unset the password running FortiOS 6.0.5
Hi jdecker91,
Did you ever find a solution to this?
Bill
Did you try the cli cmd "export vpn certificate local" ? You will need to set p12 format and have a tftp-server
https://kb.fortinet.com/kb/documentLink.do?externalID=FD44134
Ken Felix
PCNSE
NSE
StrongSwan
Hi emnoc,
Not yet, but was researching just that. Yes, have a tftp-server, although my initial cert was not p12. Is that format required when exporting/importing into another Fortigate? Or is that just best practice as the PKCS#12 format is password protected?
We are running 6.0.x if that matters.
Thanks for replying,
W_k
Also, found this http://stuff.purdon.ca/?page_id=233 but am unsure if it applies as the "unset password" cmd, after research, has not been 100% effective.
emnoc,
The procedure you posted describes importing the cert to a windows server. My requirement is to export/import to another Fortigate 100e. Is the process still the same?
Thank you,
W_k
read the link but again
https://kb.fortinet.com/kb/documentLink.do?externalID=FD44134
# cert.p12 is the file name on my tftp-server FWF60D (global) # execute vpn certificate local export tftp letscrptp12 cert.p12 192.168.1.112#Done.
PCNSE
NSE
StrongSwan
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.