Thank you emnoc for reply.

I have only cert, I do not have the private key. I've created a CSR on FortiGate devices, through the creation of CSR, I did not find any option for key.

I have received a certificate from the vendor, the zip file, when extracting file (zip), and got 4 files (text), I've converted the two files of these files to extension(.crt) As stated in the document.

Is the private key necessary to import the certificate?

What have you done wrong, please advise me.

Thanks

Yes the privy-key is where the magic is at ;)

So you have a CSR, who/what created CSR? Fortunate ? if yes than the key should be on the unit you can try the cli cmd  and see what's shown

e.g "

show full vpn  certificate local test123"

See  screenshot of the  cli output and the webgui CSR creation. The key is always present regardless if  the CSR was signed.

Ken

and the privy-key

Thanks emnoc for support,

yes i had created CSR on fortinate, i have ran command it shown the key part on CSR:

(set private-key "-----BEGIN ENCRYPTED PRIVATE KEY----- BABgkqhkiG9w0BBQ0wMzAb

--------------------------------

-----END ENCRYPTED PRIVATE KEY-----")

Now , what the next action?

Thanks

Should i copy CSR+key and re-issue certificate again

or what should i do? advise please

thanks

1: did you  find a CSR in the fortigate?

2: was said CSR delivered to the  intermediate-CA for signing?

3: if yes for #2, did you upload the   "signed CERT" back into the fortigate?

Those are the steps. if you didn't do #1 & #2, than delete the current CSR,execute a new CSRequest and send it to be signed.

The cli makes things much easier sometimes and the webgui has had problem with importation. Since I'm a big an advocate of openssl, I do all key generation and   csr creation off-appliance and import the cer+key back in.

or use the   cli . I just publish a howto for EC drafted CSR+keys. You craft RSA or elliptic curve request ( you can't do DSA btw )

e.g

http://socpuppet.blogspot.com/2016/11/howto-generate-elliptic-curve-csrs.html

Then after you have the CSR, just paste the complete section of  begin  request end request and ship that to the intermediary  !!!! DO NOT SEND THE PRIVATE_KEY !!!!!

If the CSR req  is good  and meets any requirements set by the CA ( keysize, subjt, alt,name,extensions, attributes,etc.....) then they should sign the request and send you a certificate. Just paste that certificate in and be done.

I hope that helps

Ken

Thank you emnoc,

1:did you  find a CSR in the fortigate? yes

2: was said CSR delivered to the  intermediate-CA for signing? yes

3: if yes for #2, did you upload the   "signed CERT" back into the fortigate? I am trying to do this

----I have uploded screenshot for the CSR on fortigate----

I have received two files from intermediate-CA(PKCS#7 (.p7b) Format,ZIP PEM-encoded Bundle)

I have tried to import with two files but did not succeded.

Thanks

certificate on fortigate unit pending...

Okay 

So you have a PEM format  certificate back ? Did you try to paste it in via cmd cli or via the webGUI import?

Does the certificate modulus matches the  privy-key? You can search online for tools for certificate+private-key match testing or use openssl

Ken