Let's Encrypt and FortiGate

Alby23 · ‎12-13-2016

Do u know if it's possible to use a Let's Encrypt-generated certificate into the FortiGate for the VPN Portal?

mhe · ‎12-13-2016

No, I don't think that you can use LE certificates. You need their app on the device to use it. But you can use startssl

View solution in original post

emnoc · ‎12-13-2016

Mhe has it right.

Natively the answer is NO, but you have ways around this. Use a linux bistro build a csr/priv-key sign the csr and then export , re-import it in fortigate.

Yes any x509 compatible certificate will work in a fortigate but the native means of "let's encrypt" make it not a 1 2 3 easy-do method.

PCNSE

NSE

StrongSwan

View solution in original post

NeilG · ‎12-13-2016

The problem with the manual import is that you will be running the manual process probably 5 times a year as letsencrypt issuance is 90days.

"Our certificates are valid for 90 days. You can read about why here."

https://letsencrypt.org/docs/faq/

-N

View solution in original post

jtfinley · ‎12-13-2016

So here's what I did using a raspberry pi, but can be easily used on other platforms...

[ol]

Install letsencrypt (https://letsencrypt.org/getting-started) on a box with tcp/80, tcp/443 open. (Raspberry Pi - used CertBot)

Temporarily point a DNS A or CNAME record of your (Raspberry Pi Box) SSL VPN at the box you're going to run letsencrypt on.

Once it pulls dependencies - Run letsencrypt using example below.

[ol]

./certbot-auto certonly --standalone -d vpn.yoursite.com -d [[/ol]

Change DNS records if required by pointing your DNS A record back at your SSL VPN IP

Grab your pems from /etc/letsencrypt/live/vpn.yoursite.com (cert.pem & privkey.pem) [/ol]

FortiGate:

[ol]

System -> Config -> Certificates -> Import -> Local Certificate. Set type to Certificate. For certificate choose cert.pem and for key choose privkey.pem

VPN -> SSL -> Settings. Change Server Certificate.

Repeat process every 90 days

Setup CronJob to renew it.[/ol]

View solution in original post

TecnetRuss · ‎04-05-2021

Just updating this thread to mention that ACME/LetsEncrypt functionality is now built into FortiOS 7.0. New Features | FortiGate / FortiOS 7.0.0 | Fortinet Documentation Library Russ NSE7

View solution in original post

Iescudero · ‎12-13-2016

Hello!

The answer is yes! of course you can use any certificate that want, just be carefull how you create the certificate and the CA chain must be present. If the CA is present in the browser's client, then you'll be fine.

Bye!

Alby23 · ‎12-13-2016

I'm talking specifically about Let's Encrypt. It's something different in the way you create the Certificate (and of course the CA us trusted).

Nils · ‎12-13-2016

From my understanding, you just need to have a web-server available when you create the certificate to verify ownership of the domain-name/IP. Just create a CSR on the Fortigate first.

Then you'll get a regular certificate to import at your fortigate..?

mhe · ‎12-13-2016

No, I don't think that you can use LE certificates. You need their app on the device to use it. But you can use startssl

emnoc · ‎12-13-2016

Mhe has it right.

Natively the answer is NO, but you have ways around this. Use a linux bistro build a csr/priv-key sign the csr and then export , re-import it in fortigate.

Yes any x509 compatible certificate will work in a fortigate but the native means of "let's encrypt" make it not a 1 2 3 easy-do method.

PCNSE

NSE

StrongSwan

NeilG · ‎12-13-2016

The problem with the manual import is that you will be running the manual process probably 5 times a year as letsencrypt issuance is 90days.

"Our certificates are valid for 90 days. You can read about why here."

https://letsencrypt.org/docs/faq/

-N

jtfinley · ‎12-13-2016

So here's what I did using a raspberry pi, but can be easily used on other platforms...

[ol]

Install letsencrypt (https://letsencrypt.org/getting-started) on a box with tcp/80, tcp/443 open. (Raspberry Pi - used CertBot)

Temporarily point a DNS A or CNAME record of your (Raspberry Pi Box) SSL VPN at the box you're going to run letsencrypt on.

Once it pulls dependencies - Run letsencrypt using example below.

[ol]

./certbot-auto certonly --standalone -d vpn.yoursite.com -d [[/ol]

Change DNS records if required by pointing your DNS A record back at your SSL VPN IP

Grab your pems from /etc/letsencrypt/live/vpn.yoursite.com (cert.pem & privkey.pem) [/ol]

FortiGate:

[ol]

System -> Config -> Certificates -> Import -> Local Certificate. Set type to Certificate. For certificate choose cert.pem and for key choose privkey.pem

VPN -> SSL -> Settings. Change Server Certificate.

Repeat process every 90 days

Setup CronJob to renew it.[/ol]

emnoc · ‎12-13-2016

The problem with the manual import is that you will be running the manual process probably 5 times a year as letsencrypt issuance is 90days.

Any thing free has limits, restrictions,etc...

i use caCert btw. Interface is small and password recovery is difficult at best some times. You get 6months and be advise most browsers still don't have the cacert chain in trust & you can craft client certificates no add-on programs or other dependencies just issues and paste a CSR.

Ken

PCNSE

NSE

StrongSwan

BrainWaveCC · ‎10-24-2017

Yes, you can use Let's Encrypt. For now, you have to do it manually, but I am investigating a way to do it semi-automated and I'll share it if it works.

Let's Encrypt and FortiGate

Nominate a Forum Post for Knowledge Article Creation