FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.


Depending on the Certificate's uses, there may be a need to obtain the private key and public certificate from a FortiGate/FortiWiFi to load on other machines when the certificate signing request was generated on the FortiGate/FortiWiFi.

Extracting the private key is a simple task provided that the configuration is loaded into a FortiGate/FortiWiFi appliance or virtual machine. CLI access is required to perform these steps.


Access the CLI Console of the appliance or virtual machine and perform the following:

    # config vpn certificate local
    # edit [certificate_name]
    # unset password
    # show full

These steps will unset the password used by FortiOS to encrypt the private key. If you exit this portion of the configuration, a new password will automatically be applied.

When you submit the "show full" command it will print out the plain text configuration for the certificate, which includes both its unencrypted private key and public certificate.

The output should look something like this:

    config vpn certificate local
        edit "Fortinet_CA_SSLProxy"
   set password ENC "xbhxFaK5XBgM8swWpprSCYI6SLBe3/AMOn/Mj7xazDqFENQXjjXPmD4VXYuYN6zks3O36ECCkxX2kmQkEoyBPke9fV0rT08or7vthB9tlN83WA5SWJ5J9Gs            > KBLg9WdWpDDwVsio7CaVYx24hX2/98jFNkCgQ90PDz8M6CX9ZboQHLemJgX0h88P5EsVrPhtVqT/PEw=="
            set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
            set private-key "-----BEGIN PRIVATE KEY-----
            > [omitted for brevity]
            > g5vtXWbV3vM8mWMAou4qAR6X/k+5usIqYzqB67wFEMXsYkQ8vb0
            > -----END PRIVATE KEY-----"
            set certificate "-----BEGIN CERTIFICATE-----
            > [omitted for brevity]
            > WY1CW4nQSamY6of2lmQbjfUKNtuyS56Y3MhhfokI0IPPtEsrVpLu89VHyiCQMKpzRu
            > -----END CERTIFICATE-----"
            unset state
            set scep-url ''
            set source-ip
            unset ike-localid-type

From this output, copy the texts between and including:


Paste these texts into a text editor (For example, Notepad or vim.) and save each as a separate file, ensuring that the quotations are removed and that there is no empty spaces before or after the texts. For example, the private key text could be called "key.pem" and the certificate could be called "certificate.pem".

These files can then be used to import the certificate and private key onto another machine.

Note however that "key.pem" is unencrypted and it is highly recommend that it be deleted or encrypted to protect the private key. OpenSSL can be used to encrypt the private key with the following command:

    openssl rsa -des -in key.pem -out encrypted_key.pem