Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Maerre
New Contributor III

export and import a certificate with no private key

Hello guys,

i need to export a certificate from one fortigate to the fortigate's lab environment but all the guidelines talk about the private key:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD33362

https://kb.fortinet.com/kb/documentLink.do?externalID=FD35001

 

my problem is that the certificate doesn't have a private key and if i download it via gui, once exported to the lab's fortigate it gives me an error (failed to import).

The certificate is configured as below with NO private key:

 

FORTIGATE (SAML_AZURE_CERT) # sh full-configuration config vpn certificate local edit "SAML_AZURE_CERT" set comments '' unset private-key unset certificate set range global set source user set source-ip 0.0.0.0 set ike-localid-type asn1dn set enroll-protocol none next end

 

how can i export and import this certificate without generating a new csr?

 

Thanks for your reply

 

10 REPLIES 10
lol
Staff
Staff

Hello,


> my problem is that the certificate doesn't have a private key and if i download it via gui, once exported to the lab's fortigate it gives me an error (failed to import).

 

It is no longer possible to export private keys from the FortiGate for security reasons.
Therefore the recommendation is to create the private/public key pair outside of FortiGate and import it into the FortiGate afterwards.


You could however downgrade your device to 5.2x or below 5.4.8 and then follow the procedures mentioned in the listed KB articles to export the private part.


Regards

pminarik
Staff
Staff

[deleted]

[ corrections always welcome ]
sw2090
Honored Contributor

hm without a private key a certificate is rather useless hence you do need the private key to encrypt anything with it.

As you can no longer export private keys from a FortiGate you would have the generate the CSR outside it along with a key and either import the certficate bundle or certificate and key. I am not sure what the FGT actually supports here, didn't use it for quite a while now.

Then you have certificate and key(s) and can import them wherever you want to.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Cajuntank
Contributor II

I just did this a few months back and followed the directions from this website to get the key from one of my FortiGates https://stuff.purdon.ca/?page_id=233

I generated a new CA cert on my main firewall (signed it as an Intermediate with my internal private root CA), exported the signed cert (like you normally would from the GUI) along with the key (using the above link via CLI), then imported both on my ISFW FortiGates so I could apply more local security profiles to traffic and they all use the same certificate, so only the one to deploy (some browsers fuss if the Intermediate certificate is not in their certificate store and not just the trusted root CA).

pminarik

What firmware version are you running?

I don't remember the exact version where this was finally disabled, but circa since around 6.0.7/6.2.2 it should not be possible to "unset" a password, nor to set it to nothing (set password "").

[ corrections always welcome ]
Cajuntank

Have been running 6.4.8 for some time now.

pminarik

Fascinating. Here's what I see with a sample test on 6.4.9:

pminarik_0-1661804538891.png

Would you mind sharing what model you've done this on, and perhaps a quick demo with some dummy certificate? I would really love to see this in action, since I am almost certain that this "ability" was removed some time around 6.2, and one should not be able to do that anymore...

[ corrections always welcome ]
Cajuntank

It was a 1800F. Let me see what I can come up with tomorrow to get you what you are looking for. I just looked at my certificate and it looks like I generated it on April 25, 2022 and I'm 100% certain I was on 6.4.8 when I did it as I even have 6.4.8 revision history back from March 2022.

pminarik

Thank you for indulging me! :)

I grabbed a 1800F unit in the lab and tested this with 6.4.8 (build 6165 to be exact). But the behaviour is the same as the 61E sample I showed previously, i.e. it's not possible to reveal the plaintext privkey in the CLI.

 

So I am left to wonder whether you might have a different build somehow? (presumably it's not a randomly triggered bug that would let you do something different with the exact same build)

 

edit: And to be clear about why I keep blabbering on about this. There was a PSIRT Advisory released about this and so the process described is not supposed to be available - https://www.fortiguard.com/psirt/FG-IR-19-134

[ corrections always welcome ]
Labels
Top Kudoed Authors