Migrate Fortinet_CA_SSL from old Fortigate to a new one

Pikok · ‎12-14-2022

Hello

What steps to take to transfer Fortinet_CA_SSL (used in deep inspection) from one Fortiagte to another.

Fortiagte was replaced with a new one and was configured from scratch.

The Fortinet_CA_SSL certificate is installed on end computers
(so that there are no problems with the certificate in deep inspection)

I do not want to install the certificate from the new Fortigate on computers,
only to transfer the deep inspection from the old fortigate.

pminarik · ‎12-15-2022

Hi,

If the old FortiGate is still up, you can grab the old CA certificate snippet from CLI: show full vpn certificate local Fortinet_CA_SSL

If not, grab the same object from its configuration backup (config vpn certificate local -> edit "Fortinet_CA_SSL" ...).

Then paste the entire config snippet into the CLI of your new FortiGate (including the encrypted private-key, password, and certificate fields). Note: I am not sure if the default CA is modifiable. Ff it is not, you may need to paste the old CA in with a different name (e.g. "Fortinet_CA_SSL_old") to avoid the name conflict. Afterwards you will need to edit your SSL inspection profiles and set them to use the old CA certificate.

[ corrections always welcome ]

Pikok · ‎12-19-2022

Replacing the certificate doesn't work but adding it with a different name did the trick

Thank you for your help

Migrate Fortinet_CA_SSL from old Fortigate to a new one

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website