Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
harith7
New Contributor

FortiGate : SSL Certification Private Key Export

Hello Everyone,

 

This is probably a common issue, but it's kind of urgent.

 

I configured a CSR from Fortigate to purchase an SSL Certificate.

 

All good so far, i managed to install the certificate. But i want to use it in other servers, so i need the private key.

 

Throught CLI, i found the private key but it's encrypted. the commande "unset password" doesnt work apparently in the 5.4 FortiOS.

 

What are my options ? can i export the certificate/key in another Fortigate (4.0 ?) and try to unset the password ? any other solution ? 

 

Thank's  

10 REPLIES 10
emnoc
Esteemed Contributor III

You need to use the show full command

 

cli

show full config vpn cert local

It should show the certificate  PEM format and KEY. Just copy out the cert+key and use openssl to check modulus if you want to be sure it's correct

 

 

e.g

 

openssl  x509 -in <certfile> -noout -modulus | openssl md5

openssl  rsa -in <privkeyfile> -noout -modulus | openssl md5

 

You could also use sha1

 

 

openssl  x509 -in <certfile> -noout -modulus | openssl sha1

openssl  rsa -in <privkeyfile> -noout -modulus | openssl sha1

 

 

If the values matches, than  cert+key are a matching pair. if you want to build a pfx

 

 

openssl  pkcs12 -export -in <certfile> -inkey <keyfile> -out  mynew.pfx

 

 

;)

 

Ken

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
harith7
New Contributor

Thank's for your reply.

 

When i show the full-conf vpn cert local, i got this (it's not the full syntax, just the preview):

 

edit "portail alamana"
        set password ENC K1GqerTVAukDMIEgsSEYsjD59ziQU766Jue4Em9J7tVWFRh5+CbfA.....
        set comments ''
        set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIlsbBHVI02KACAggA
MBQGCCqGSIb3DQMHBAjvMDKXJmmMEQSCBMhQ0P7hOK2McnBExDGrIJiHdBgfCa6h
dHNKDJUeMIT9nVirYq5+56Nr64SXigPOJIaxEsOaFD05TuJouFWhtmWGqmAI8y8Y
u1dQy9r+8+wrzJs5yrtqupuwMj9/MWtZQSdHTyoDD/DJIT7537vUXAUryZUDnpms
VhLwrQJWixD/piKWoeDWpT6u79lHHRh8kmN3qiaEK8+cYQ15jOCi9/AmOWPAzieJ
--More--          0MyurtJMGGjNuD+/9zkAcwKMI

 

The private key is apparently Encrypted. Will it work with Openssl ? even without the decrypted password ?

 

jdecker91

Hello,

    I'm curious if you had ever found a solution to this? I am running into the same issue when trying to unset the password running FortiOS 6.0.5

wkana

Hi jdecker91,

 

Did you ever find a solution to this?

 

Bill

emnoc
Esteemed Contributor III

Did you try the cli cmd "export vpn certificate local" ? You will need to set p12 format and have a tftp-server 

 

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44134

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
wkana
New Contributor

Hi emnoc,

 

Not yet, but was researching just that. Yes, have a tftp-server, although my initial cert was not p12. Is that format required when exporting/importing into another Fortigate? Or is that just best practice as the PKCS#12 format is password protected?

 

We are running 6.0.x if that matters.

 

Thanks for replying,

 

W_k

wkana
New Contributor

Also, found this http://stuff.purdon.ca/?page_id=233 but am unsure if it applies as the "unset password" cmd, after research, has not been 100% effective. 

 

wkana
New Contributor

emnoc,

 

The procedure you posted describes importing the cert to a windows server. My requirement is to export/import to another Fortigate 100e. Is the process still the same?

 

Thank you,

 

W_k

 

emnoc
Esteemed Contributor III

read the link  but again 

 

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44134

 

 

# cert.p12  is the file name on my tftp-server

 

FWF60D (global) # execute vpn  certificate local export tftp letscrptp12 cert.p12 192.168.1.112

#

Done.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors