- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's Encrypt and FortiGate
Do u know if it's possible to use a Let's Encrypt-generated certificate into the FortiGate for the VPN Portal?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, I don't think that you can use LE certificates. You need their app on the device to use it. But you can use startssl
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mhe has it right.
Natively the answer is NO, but you have ways around this. Use a linux bistro build a csr/priv-key sign the csr and then export , re-import it in fortigate.
Yes any x509 compatible certificate will work in a fortigate but the native means of "let's encrypt" make it not a 1 2 3 easy-do method.
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem with the manual import is that you will be running the manual process probably 5 times a year as letsencrypt issuance is 90days.
"Our certificates are valid for 90 days. You can read about why here."
https://letsencrypt.org/docs/faq/
-N
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So here's what I did using a raspberry pi, but can be easily used on other platforms...
[ol]
FortiGate:
[ol]System -> Config -> Certificates -> Import -> Local Certificate. Set type to Certificate. For certificate choose cert.pem and for key choose privkey.pem
VPN -> SSL -> Settings. Change Server Certificate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just updating this thread to mention that ACME/LetsEncrypt functionality is now built into FortiOS 7.0. New Features | FortiGate / FortiOS 7.0.0 | Fortinet Documentation Library Russ NSE7
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
The answer is yes! of course you can use any certificate that want, just be carefull how you create the certificate and the CA chain must be present. If the CA is present in the browser's client, then you'll be fine.
Bye!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm talking specifically about Let's Encrypt. It's something different in the way you create the Certificate (and of course the CA us trusted).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From my understanding, you just need to have a web-server available when you create the certificate to verify ownership of the domain-name/IP. Just create a CSR on the Fortigate first.
Then you'll get a regular certificate to import at your fortigate..?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, I don't think that you can use LE certificates. You need their app on the device to use it. But you can use startssl
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mhe has it right.
Natively the answer is NO, but you have ways around this. Use a linux bistro build a csr/priv-key sign the csr and then export , re-import it in fortigate.
Yes any x509 compatible certificate will work in a fortigate but the native means of "let's encrypt" make it not a 1 2 3 easy-do method.
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem with the manual import is that you will be running the manual process probably 5 times a year as letsencrypt issuance is 90days.
"Our certificates are valid for 90 days. You can read about why here."
https://letsencrypt.org/docs/faq/
-N
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So here's what I did using a raspberry pi, but can be easily used on other platforms...
[ol]
FortiGate:
[ol]System -> Config -> Certificates -> Import -> Local Certificate. Set type to Certificate. For certificate choose cert.pem and for key choose privkey.pem
VPN -> SSL -> Settings. Change Server Certificate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem with the manual import is that you will be running the manual process probably 5 times a year as letsencrypt issuance is 90days.
Any thing free has limits, restrictions,etc...
i use caCert btw. Interface is small and password recovery is difficult at best some times. You get 6months and be advise most browsers still don't have the cacert chain in trust & you can craft client certificates no add-on programs or other dependencies just issues and paste a CSR.
Ken
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you can use Let's Encrypt. For now, you have to do it manually, but I am investigating a way to do it semi-automated and I'll share it if it works.