Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Vbharath_FTNT
Staff
Staff

Created on ‎09-26-2014 08:25 AM Edited on ‎03-24-2025 11:19 PM By Community Manager

Article Id 198661

Technical Tip: How to update a local certificate installed on a FortiGate without generating a new CSR

Description

 

This article describes how to update a certificate that is already installed on a FortiGate without the need to generate a new CSR first.
This is typically done when the certificate currently installed on the FortiGate has expired.


Scope

 

When the CA renews the certificate using the same public/private key pair as the original certificate.


Solution

 

When a CSR is created on the FortiGate it will generate two "things": the CSR itself, and a matching private key.

When the signed certificate is uploaded for the first time, it was matched to the private key.
After certificate expires, in FortiGate can be found the private key and the "old" certificate as an object in "config vpn certificate local", unless it is already deleted.

Assuming that there isn't sent any new CSR to CA, that implies that the new certificate CA Authority provided, still matches the 'old' private key.
The goal is to have the old privkey + new certificate in a single object in the FortiGate configuration.


That can be achieved by one of the two methods described below:

  1. Manually edit the old/existing object and replace the old 'set certificate' value with the new one.
  2. Upload the privkey and the new certificate as a new object. For that, it is needed to export the private key out of the configuration, which can only be done if the password is known for the private key. (if the password is set manually during CSR generation and still remembered, this can be done; otherwise, it is not possible)

 

This procedure can only be done through the command line interface (CLI) of the FortiGate.
 
  1. Open the renewed certificate (provided by the CA) in the text editor and copy the content.

    Note that regardless of the certificate's file extension, the certificate must be PEM encoded, not DER encoded. If it is DER encoded, the words 'BEGIN CERTIFICATE' or 'END CERTIFICATE' will not be visible.

vbharat_FD35074_tn_viswa_1.jpg
  1. Connect to the FortiGate unit via SSH to import the new signed certificate.
 
Note:
If the user is on Multi-VDOM, the commands must be run on the Global VDOM.
 
Multi-VDOM:

config global
config certificate local
edit [certificate name]
set certificate <----- Insert a quotation mark ("), then press Enter and paste the certificate content. Insert another quotation mark (") and press Enter. Note that Notepad might insert a carriage return, resulting in an invalid command. Consider using Notepad++ to copy the PEM file contents. Press Enter before pasting the certificate content is very important otherwise, it might result in a syntax error.
end
 
Standalone VDOM:

config vpn certificate local
edit [certificate name]
set certificate <----- Insert a quotation mark ("), then press Enter and paste the certificate content. Insert another quotation mark (") and press Enter. Note that Notepad might insert a carriage return, resulting in an invalid command. Consider using Notepad++ to copy the PEM file contents.
end

For example:
Multi-VDOM:

config global
config certificate local
edit server <- A previous certificate which is about to or has expired.
set certificate "
> -----BEGIN CERTIFICATE-----
> mPjDQDYkYHKcTrGa6aH7e1w1uM7kdaBAjyAgM7xcmuTrsCeLYfd+BwIDAQABo4ID
> TDCCA0gwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIorRWhO7dYIKtkziB9KY0
> -----END CERTIFICATE-----"
    end

Standalone VDOM:

config vpn certificate local
edit "certname" (previous certificate which is about to or has expired)
set certificate "
> -----BEGIN CERTIFICATE-----
> mPjDQDYkYHKcTrGa6aH7e1w1uM7kdaBAjyAgM7xcmuTrsCeLYfd+BwIDAQABo4ID
> TDCCA0gwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIorRWhO7dYIKtkziB9KY0
> -----END CERTIFICATE-----"
end
 

MicrosoftTeams-image (4).png

 
  1. To make the renewed certificate effective, check on where the certificate is used 'linked' unset and set the certificate:
     

    Used.png

  • For an Admin HTTPS server certificate:
 
config system global
    unset admin-server-cert
end

config sys global
    set admin-server-cert [name] <- Select the certificated used for admin HTTPS access.
end
 
  • For certificates used for SSL VPN:
   
config vpn ssl setting
    unset servercert 
end
 
config vpn ssl setting
    set servercert [certificate name] <-Select the certificated used for SSLVPN access.
end
 
Note:
Unsetting or editing servercert will cause FortiGate to disconnect all connected SSL VPN users.
 
Verify the renewed certificate:

vbharat_FD35074_tn_viswa_2.jpg
157277
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.