FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Vbharath_FTNT
Article Id 198661

Description

 

This article describes how to update a certificate that is already installed on a FortiGate without the need to generate a new CSR first.
This is typically done when the certificate currently installed on the FortiGate has expired.


Scope

 

When the CA renews the certificate using the same public/private key pair as the original certificate.


Solution

 

This procedure can only be done through the command line interface (CLI) of the FortiGate.

1) Open the renewed certificate (provided by the CA) in text editor and copy the content.
 
Note that regardless of certificate's file extension, the certificate must be PEM encoded, not DER encoded.
If it is DER encoded, the words 'BEGIN CERTIFICATE' or 'END CERTIFICATE' will not be visible.

vbharat_FD35074_tn_viswa_1.jpg

2) Connect to the FortiGate unit via SSH to import the new signed certificate.
 
Note:
If user is on Multi-VDOM, the commands need to be done on the Global VDOM.
 
Multi-VDOM:

config global
    config certificate local
        edit [certificate name]
            set certificate <-- Then insert quote ", then hit enter and paste the certificate content, then again insert quote " and hit enter.
end
 
Standalone VDOM:

config vpn certificate local
    edit [certificate name]
        set certificate
<- Then insert quote ", then hit enter and paste the certificate content, then again insert quote " and hit enter.
end

For example:
Multi-VDOM:

config global
    config certificate local
        (local) # edit server
           (server) # set certificate "
> -----BEGIN CERTIFICATE-----
> mPjDQDYkYHKcTrGa6aH7e1w1uM7kdaBAjyAgM7xcmuTrsCeLYfd+BwIDAQABo4ID
> TDCCA0gwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIorRWhO7dYIKtkziB9KY0
> -----END CERTIFICATE-----"
(server) #
(server) # end

Standalone VDOM:

config vpn certificate local
(local) # edit server
(server) # set certificate
 "
> -----BEGIN CERTIFICATE-----
> mPjDQDYkYHKcTrGa6aH7e1w1uM7kdaBAjyAgM7xcmuTrsCeLYfd+BwIDAQABo4ID
> TDCCA0gwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIorRWhO7dYIKtkziB9KY0
> -----END CERTIFICATE-----"
(server) #
(server) # end
 

MicrosoftTeams-image (4).png


3) To make the renewed certificate effective, unset and set the certificate:

- For Admin HTTPS server certificate:
 
config system global
    unset admin-server-cert
end

config sys global
    set admin-server-cert [name]
<- Select the certificated used for admin HTTPS access.
end

Similar steps can be followed for certificates used for SSL VPN:
 
config vpn ssl setting
    set servercert [certificate name]
end

4) Verify the renewed certificate:

vbharat_FD35074_tn_viswa_2.jpg