FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 190716
This article describes how to manage PKCS#12 based server (local) certificates which is a protected password.

With FortiOS 5.4 released, in a context of backup and restore, a server (local) certificate and its private key can be exported to or imported from a TFTP server as a password protected PKCS#12 file (encrypted binary format).

It should be noted that the certificate export/import procedure can not be done at the GUI but only via the CLI as per the following commands set:

Assuming ‘FNETLAB’ being the certificate name, ‘FNETLAB.p12’ the filename, and the TFTP server IP address, the CLI commands syntax to export or import a certificate will look like the following:

execute vpn certificate local export tftp FNETLAB p12 FNETLAB.p12
execute vpn certificate local import tftp FNETLAB.p12 FNETLAB.p12 p12 mypassword

Note: editing the PKCS#12 file or importing the PKCS#12 certificate back into another FortiGate unit afterwards requires knowing and using the password that was used at the time of the certificate export.

Detailed procedure:

1) Generate a Certificate Signing Request called ‘FNETLAB’ either from the GUI (Generate > CSR) or from the CLI as per the command below:

execute vpn certificate local generate rsa FNETLAB 2048
Global certificate Signing State: Pending
Once the process is finished, the ‘FNETLAB’ CSR is displayed in the GUI as follows:

2) Associate a password to the CSR (this can only be done using the CLI) as follows:
config vpn certificate local
     edit FNETLAB

         set password mypassword
3) Export the certificate CSR using the GUI:

4) Import the CSR into a PKI and sign it.

5) Once signed, export the signed certificate in PEM format ( from the PKI.

6) Import the signed certificate back into the FortiGate:



7) Export ‘FNETLAB’ certificate as a PKSC12 file using the following CLI command:
execute vpn certificate local export tftp FNETLAB p12 FNETLAB.p12
8) When using the exported FNETLAB.p12 file, a password will be asked. For example, in a Microsoft Windows environment, by double-clicking on the exported FNETLAB.p12 file, the Certificate Import Wizard will automatically be launched and there will be a request to enter the password for the private key (mypassword in that case)

A password (mypassword) for the private key is required to open the PKCS#12 certificate


9) Password is required as well if PKCS#12 certificate file is edited using OpenSSL as follows:
C:\OpenSSL\bin>openssl pkcs12 -info -in ../mmwrk/FNETLAB.p12

Enter Import Password:                            <-- key-in mypassword

MAC Iteration 1

MAC verified OK

PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

Certificate bag

Bag Attributes

    friendlyName: FNETLAB

    localKeyID: CC DA 03 36 C4 FE C3 7D 3F 2E D1 8A F3 B1 A2 F2 8B 02 29 BA






10) Similarly, password is required when try to import the FNETLAB.p12 file to another FortiGate as follows:
execute vpn certificate local import tftp FNETLAB.p12 p12 mypassword