Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CAD
Contributor

Import certificate

Hello ,

I have created CSR in Fortigate , and then got certificate(quick SSL Basic ) from third party(geo cert).

 

I am having trouble importing certifcate on FortiGate, when you try to import the certificate, I get the following message "Import local certificate is valid."

 

please help me to solve this issue.

 

Thanks

27 REPLIES 27
emnoc
Esteemed Contributor III

Use a online free tool to validate the  CSR+KEY and if you have a signed cert CERT+key ( openssl is more advance and the online car/cert tools are simpler to use )

 

 

https://www.sslshopper.com/csr-decoder.html

 

 

Optionally you can extract the  public-key from the  "CSR or CERT" and and check against the   private key 

 

all modulus   should a match btw

 

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
CAD

Thank you emnoc for reply.

 

I have only cert, I do not have the private key. I've created a CSR on FortiGate devices, through the creation of CSR, I did not find any option for key.

I have received a certificate from the vendor, the zip file, when extracting file (zip), and got 4 files (text), I've converted the two files of these files to extension(.crt) As stated in the document.

 

Is the private key necessary to import the certificate?

What have you done wrong, please advise me.

 

Thanks

emnoc
Esteemed Contributor III

Yes the privy-key is where the magic is at ;)

 

So you have a CSR, who/what created CSR? Fortunate ? if yes than the key should be on the unit you can try the cli cmd  and see what's shown

 

e.g "

show full vpn  certificate local test123"

 

See  screenshot of the  cli output and the webgui CSR creation. The key is always present regardless if  the CSR was signed.

 

 

 

 

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
emnoc
Esteemed Contributor III

and the privy-key

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
CAD

Thanks emnoc for support,

yes i had created CSR on fortinate, i have ran command it shown the key part on CSR:

 

(set private-key "-----BEGIN ENCRYPTED PRIVATE KEY----- BABgkqhkiG9w0BBQ0wMzAb

--------------------------------

-----END ENCRYPTED PRIVATE KEY-----")

 

Now , what the next action?

 

Thanks

CAD
Contributor

Should i copy CSR+key and re-issue certificate again

or what should i do? advise please

 

thanks

 

emnoc
Esteemed Contributor III

1: did you  find a CSR in the fortigate?

 

2: was said CSR delivered to the  intermediate-CA for signing?

 

3: if yes for #2, did you upload the   "signed CERT" back into the fortigate?

 

 

Those are the steps. if you didn't do #1 & #2, than delete the current CSR,execute a new CSRequest and send it to be signed.

 

The cli makes things much easier sometimes and the webgui has had problem with importation. Since I'm a big an advocate of openssl, I do all key generation and   csr creation off-appliance and import the cer+key back in.

 

or use the   cli . I just publish a howto for EC drafted CSR+keys. You craft RSA or elliptic curve request ( you can't do DSA btw )

 

e.g

 

http://socpuppet.blogspot.com/2016/11/howto-generate-elliptic-curve-csrs.html

 

 

Then after you have the CSR, just paste the complete section of  begin  request end request and ship that to the intermediary  !!!! DO NOT SEND THE PRIVATE_KEY !!!!!

 

If the CSR req  is good  and meets any requirements set by the CA ( keysize, subjt, alt,name,extensions, attributes,etc.....) then they should sign the request and send you a certificate. Just paste that certificate in and be done.

 

I hope that helps

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
CAD

Thank you emnoc,

 

1:did you  find a CSR in the fortigate? yes

2: was said CSR delivered to the  intermediate-CA for signing? yes

3: if yes for #2, did you upload the   "signed CERT" back into the fortigate? I am trying to do this

----I have uploded screenshot for the CSR on fortigate----

I have received two files from intermediate-CA(PKCS#7 (.p7b) Format,ZIP PEM-encoded Bundle)

I have tried to import with two files but did not succeded.

 

Thanks

 

CAD
Contributor

certificate on fortigate unit pending...

 

emnoc
Esteemed Contributor III

Okay 

 

So you have a PEM format  certificate back ? Did you try to paste it in via cmd cli or via the webGUI import?

 

Does the certificate modulus matches the  privy-key? You can search online for tools for certificate+private-key match testing or use openssl

 

 

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors