Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
abdulrazak
New Contributor

ssl certificate password

Hi all,

I am trying to get a certificate password from my fortigate unit. any one knows how to decrypt that password stored

command i used

sh vpn certificate local

In that my certificate password is there.

 

5 REPLIES 5
xsilver_FTNT
Staff
Staff

Hi abdulrazak,

 

as you might realized, each time you save config backup, those passwords (set secret ..) changes the strings.

That's because those are salted and then encrypted to protect those exactly against what you are trying to achieve .. clear text password retrieval from encrypted form.

AFAIK it should not be possible.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

emnoc
Esteemed Contributor III

You  need to 1>  record the private-key passphrase  2> store it in a secure spot 

 

You will not be able to  retrieve any  password/secrer/passphrase from a  FGT.con file

 

ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
abdulrazak

Thanks,

What if i created csr in my fortigate device and made it CA signed, so that i can use it as trusted certificate. That time i need private key and password additionally to add this certificate to another unit, how i will get this password?. I have to use this certificate for ssl inspection. If i add it in the same device in which i created csr, it is added in local certificate, but ssl inspection drop-menu have only local CA certificate. So i need to add this certificate as local CA certificate. kindly suggest one solution

emnoc
Esteemed Contributor III

You can't craft a CSR with a certificate "CA sign". don't you have a local CA ( MS enterprise for example ) and can you sign a CSR and ensure the useage as CA:TRUE?

 

If, yes than you import that certificate into the fortigate and trust it  with your webclients.

 

Do a google search for  fortigate cookbook and ssl-inspections. They have a few documents out that explains this.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
chimera
New Contributor

Old post I know, but I will add to this as I struggled to work out why the certificate wasn't "visible" in the dropdown box for the SSL VPN settings, and couldn't find much on the web on how to migrate...

 

So if you are doing a Fortigate migration and the old Fortigate has a certificate that has been generated on the firewall itself, then others have mentioned the passphrase is generated by the Fortigate (and therefore unknown) so you cannot just download the cert and import it to the new Fortigate. You have 2 options.

 

1. Try unset the password, see this link https://stuff.purdon.ca/?page_id=233

 

2. If the above doesn't work (supposedly doesn't for certain firmware versions, as it didn't work for me with an older firmware revision) Migrate portions of the configuration over including the private key and encryption password.  To do, view the configuration from the CLUI, highlight and copy the private key and cert from the configuration under:

 

 

config vpn certificate local

 

Eg: copy out the parts between edit "My Cert" and -- END CERTIFICATE -- then backup the config on your new firewall, paste the copied portion of configuration into the same section, save then restore that config back into the new firewall.  Don't forget to import the corresponding CA certificate too.

 

Cheers

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors