Hello everyone
I am currently trying to make my new Wildcard certificate work on my Fortigate 200D cluster. The import of the root bundle and the cert and private key is working as far as I can tell, but I still run into a problem with my certificate chain.
My firmware is: FortiOS 5.2.9
What I have done so far:
1) Created a CSR from a Windows IIS server, had a CA sign it and complete the certificate request on the IIS server.
2) Exported the cert with private key into a .pfx file.
3) Split the .pfx file into two files, cert.crt and privatekey.key
4) Imported the cert.crt and privatekey.key files into the Fortigate using GUI (Global > Certificates > Import > Local Certificate. Choose type "Certificate" and pointed at my cert.crt and privatekey.key files.
5) Imported the root bundle into the Fortigate using GUI (Global > Certificates > Import > CA Certificate. Choose "Local PC" and pointed at my root bundle .crt file.
6) The Fortigate accepts both the cert.crt/privatekey.key and the root bundle.
7) Selected the newly imported certificate for the SSL portal (Virtual Domains > root > VPN > SSL > Settings. Selected the certificate in "Server certificate"
When I browser to my ssl vpn site ([link]https://vpn.mydomain.com)[/link] I do see the new certificate.
But when I test using different ssl checker sites they all report about chain issues.
I followed this guide for importing the CA bundle: http://docs.fortinet.com/uploaded/files/2337/How-To-Buy-&-Import-SSL-Certificate%20-%209.pdf
I followed this guide for spliting and importing the certificate: https://stuff.purdon.ca/?page_id=83
Does anyone have any idea on how to solve the chain issues when using a public signed certificate on the Fortigates?
Thanks in advance!
Regards Anders
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Import all authority (root, subordonate, etc) certificate (so the chain) into the FGT.
I did it for OWA (Offloading + LB) on FGT100D and it works fine (now warning with qualys SSL check).
Regards,
HA
Hi HA
I imported the root cert, the intermediate cert and the certificate into the Fortigate. The root cert and intermediate cert I got from the CA which signed my certificate.
The Fortigate also accepts all the files and I am able to browse my SSLVPN site without getting a warning but when I check the chain using an SSL chain checker I shows the chain as broken.
In what order did you upload the certificates? Does this mean anything for the Fortigate?
My error:
hi, i have the same problem, How did you solve the problem?
okay, i have solved my problem. I added in to body of my certificate COMODORSADomainValidationSecureServerCA.crt and AddTrustExternalCARoot.crt
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.