Do u know if it's possible to use a Let's Encrypt-generated certificate into the FortiGate for the VPN Portal?
Solved! Go to Solution.
No, I don't think that you can use LE certificates. You need their app on the device to use it. But you can use startssl
Mhe has it right.
Natively the answer is NO, but you have ways around this. Use a linux bistro build a csr/priv-key sign the csr and then export , re-import it in fortigate.
Yes any x509 compatible certificate will work in a fortigate but the native means of "let's encrypt" make it not a 1 2 3 easy-do method.
PCNSE
NSE
StrongSwan
The problem with the manual import is that you will be running the manual process probably 5 times a year as letsencrypt issuance is 90days.
"Our certificates are valid for 90 days. You can read about why here."
https://letsencrypt.org/docs/faq/
-N
So here's what I did using a raspberry pi, but can be easily used on other platforms...
[ol]
FortiGate:
[ol]System -> Config -> Certificates -> Import -> Local Certificate. Set type to Certificate. For certificate choose cert.pem and for key choose privkey.pem
VPN -> SSL -> Settings. Change Server Certificate.
Just updating this thread to mention that ACME/LetsEncrypt functionality is now built into FortiOS 7.0. New Features | FortiGate / FortiOS 7.0.0 | Fortinet Documentation Library Russ NSE7
Hello!
The answer is yes! of course you can use any certificate that want, just be carefull how you create the certificate and the CA chain must be present. If the CA is present in the browser's client, then you'll be fine.
Bye!
I'm talking specifically about Let's Encrypt. It's something different in the way you create the Certificate (and of course the CA us trusted).
From my understanding, you just need to have a web-server available when you create the certificate to verify ownership of the domain-name/IP. Just create a CSR on the Fortigate first.
Then you'll get a regular certificate to import at your fortigate..?
No, I don't think that you can use LE certificates. You need their app on the device to use it. But you can use startssl
Mhe has it right.
Natively the answer is NO, but you have ways around this. Use a linux bistro build a csr/priv-key sign the csr and then export , re-import it in fortigate.
Yes any x509 compatible certificate will work in a fortigate but the native means of "let's encrypt" make it not a 1 2 3 easy-do method.
PCNSE
NSE
StrongSwan
The problem with the manual import is that you will be running the manual process probably 5 times a year as letsencrypt issuance is 90days.
"Our certificates are valid for 90 days. You can read about why here."
https://letsencrypt.org/docs/faq/
-N
So here's what I did using a raspberry pi, but can be easily used on other platforms...
[ol]
FortiGate:
[ol]System -> Config -> Certificates -> Import -> Local Certificate. Set type to Certificate. For certificate choose cert.pem and for key choose privkey.pem
VPN -> SSL -> Settings. Change Server Certificate.
The problem with the manual import is that you will be running the manual process probably 5 times a year as letsencrypt issuance is 90days.
Any thing free has limits, restrictions,etc...
i use caCert btw. Interface is small and password recovery is difficult at best some times. You get 6months and be advise most browsers still don't have the cacert chain in trust & you can craft client certificates no add-on programs or other dependencies just issues and paste a CSR.
Ken
PCNSE
NSE
StrongSwan
Yes, you can use Let's Encrypt. For now, you have to do it manually, but I am investigating a way to do it semi-automated and I'll share it if it works.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1109 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.