Hello ,
I have created CSR in Fortigate , and then got certificate(quick SSL Basic ) from third party(geo cert).
I am having trouble importing certifcate on FortiGate, when you try to import the certificate, I get the following message "Import local certificate is valid."
please help me to solve this issue.
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Use a online free tool to validate the CSR+KEY and if you have a signed cert CERT+key ( openssl is more advance and the online car/cert tools are simpler to use )
https://www.sslshopper.com/csr-decoder.html
Optionally you can extract the public-key from the "CSR or CERT" and and check against the private key
all modulus should a match btw
Ken
PCNSE
NSE
StrongSwan
Thank you emnoc for reply.
I have only cert, I do not have the private key. I've created a CSR on FortiGate devices, through the creation of CSR, I did not find any option for key.
I have received a certificate from the vendor, the zip file, when extracting file (zip), and got 4 files (text), I've converted the two files of these files to extension(.crt) As stated in the document.
Is the private key necessary to import the certificate?
What have you done wrong, please advise me.
Thanks
Yes the privy-key is where the magic is at ;)
So you have a CSR, who/what created CSR? Fortunate ? if yes than the key should be on the unit you can try the cli cmd and see what's shown
e.g "
show full vpn certificate local test123"
See screenshot of the cli output and the webgui CSR creation. The key is always present regardless if the CSR was signed.
Ken
PCNSE
NSE
StrongSwan
Thanks emnoc for support,
yes i had created CSR on fortinate, i have ran command it shown the key part on CSR:
(set private-key "-----BEGIN ENCRYPTED PRIVATE KEY----- BABgkqhkiG9w0BBQ0wMzAb
--------------------------------
-----END ENCRYPTED PRIVATE KEY-----")
Now , what the next action?
Thanks
Should i copy CSR+key and re-issue certificate again
or what should i do? advise please
thanks
1: did you find a CSR in the fortigate?
2: was said CSR delivered to the intermediate-CA for signing?
3: if yes for #2, did you upload the "signed CERT" back into the fortigate?
Those are the steps. if you didn't do #1 & #2, than delete the current CSR,execute a new CSRequest and send it to be signed.
The cli makes things much easier sometimes and the webgui has had problem with importation. Since I'm a big an advocate of openssl, I do all key generation and csr creation off-appliance and import the cer+key back in.
or use the cli . I just publish a howto for EC drafted CSR+keys. You craft RSA or elliptic curve request ( you can't do DSA btw )
e.g
http://socpuppet.blogspot.com/2016/11/howto-generate-elliptic-curve-csrs.html
Then after you have the CSR, just paste the complete section of begin request end request and ship that to the intermediary !!!! DO NOT SEND THE PRIVATE_KEY !!!!!
If the CSR req is good and meets any requirements set by the CA ( keysize, subjt, alt,name,extensions, attributes,etc.....) then they should sign the request and send you a certificate. Just paste that certificate in and be done.
I hope that helps
Ken
PCNSE
NSE
StrongSwan
Thank you emnoc,
1:did you find a CSR in the fortigate? yes
2: was said CSR delivered to the intermediate-CA for signing? yes
3: if yes for #2, did you upload the "signed CERT" back into the fortigate? I am trying to do this
----I have uploded screenshot for the CSR on fortigate----
I have received two files from intermediate-CA(PKCS#7 (.p7b) Format,ZIP PEM-encoded Bundle)
I have tried to import with two files but did not succeded.
Thanks
Okay
So you have a PEM format certificate back ? Did you try to paste it in via cmd cli or via the webGUI import?
Does the certificate modulus matches the privy-key? You can search online for tools for certificate+private-key match testing or use openssl
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.