Hello,
I'm using Forti OS 5.6.3 on a Fortigate 200D.
I've bought domain SSL certificate. I've followed the (old) procedure https://docs.fortinet.com/d/fortigate-how-to-purchase-and-import-a-signed-ssl-certificate ("Purchase and Import a signed SSL Certificate").
From the Web UI, I've generated the CSR (RSA 4096 bits with a password for private key), and submit it to the certificate seller. This one give me the informations to get two .crt files, one for my domain, the second for the Intermediate Certificate. I've imported the two .crt in the Web UI (System/Certificates), and I've found them in "Certificates" and "External CA Certificates". The domain certificate's status was witch the status OK.
But my new domain certificate, was not in the list "Server Certificate" in "VPN/SSL-VPN Settings".
What is bad in my procedure?
Should I import the Root CA Certificate too on the Fortigate?
Thanks for your help.
JM
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Did you do this from the Web GUI? You might need to copy/paste the cert via cli
config vpn certificate local { irrc }
Once the crt file is matched to the certificate, you can select it for the vpn-services.
Ken
PCNSE
NSE
StrongSwan
Hello,
Thanks.
I've used the CLI for import the domain certificate (and Web UI for the Intermediate CA Certificate).
The status certificate have changed from Pending to OK.
I've tried to use these commands:
config vpn ssl settings
unset servercert
set servcert + Key Tab
Only the current certificate is shown (Fortinet_Factory, and not the other ones)
And if use the "sert servcert Fortinet_SSL_Portail", ("Fortinet_SSL_Portail" is our domain certificate) the command fails (return code -3)
Is there something special with FortiOs 5.6.3?
JM
I'd assume you have the wrong certificate type.
For SSL VPN you will need a certificate capable of signing.
For SSL Inspection you will need a sub ca certificate even.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thanks sw2090.
In the details of the new certificate I see:
X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication
I suppose it's good for SSL VPN ?
Jm
"
While the default self-signed certificates can be used for HTTPS connections, it is preferable to use the X.509 server certificate to avoid the redirection as it can be misinterpreted as possible session hijacking. However, the server certificate method is more complex than self-signed security certificates. Also the warning message is typically displayed for the initial connection, and future connections will not generate these messages.
X.509 certificates can be used to authenticate IPsec VPN peers or clients, or SSL VPN clients. When configured to authenticate a VPN peer or client, the FortiGate unit prompts the VPN peer or client to authenticate itself using the X.509 certificate. The certificate supplied by the VPN peer or client must be verifiable using the root CA certificate installed on the FortiGate unit in order for a VPN tunnel to be established."
Is what the online help of one my FGT says about this.
After signing your CSR as what did you import it? Local Cert? CA? ...
Maybe you imported it as the wrong kind (struck me once too ;) ).
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi,
I've imported the intermediate as CA certificate (shown under "External CA Certificates" on the Web UI interface) and the domain certicate as "Local Certificate" (shown under "Certificates" section on the Web UI).
I've followed, I think (??) the steps given in the "Purchase and Import a Signed SSL Certificate" Fortinet document.
I have a case opened and Fortinet ask me to use a 2048 bits key size and not a 4096 bits. With a new certificate reissued by my CA, the problem is the same.
For the moment, I don't know if there is something wrong (that's the first time I'm using these features), in my operations, or in the certificate's type I've bought.
Jm
Hello,
A clue: I've seen that the current certificate selected "Fortinet_Factory" is the only with no password shown in the command (CLI) "show vpn certificate local ". The other ones with password are not proposed in the interface (Web UI or CLI).
???
Jm
It seems Fortigate doesn't accept too long certificate names. Mine was 21 characters long. Or may be a naming problem. Some of the names of the embedded certificates are long too, and cannot be selected.
My certificate with a shorter name, can be selected no, for web management console, and VPN setting.
Thanks to those who have spent time talking to me about this problem
Jm
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.