Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Alby23
Contributor II

Let's Encrypt and FortiGate

Do u know if it's possible to use a Let's Encrypt-generated certificate into the FortiGate for the VPN Portal?

5 Solutions
mhe
Contributor

No, I don't think that you can use LE certificates. You need their app on the device to use it. But you can use startssl

View solution in original post

emnoc
Esteemed Contributor III

Mhe has it right.

 

Natively the answer is NO, but you have ways around this. Use a linux bistro build a csr/priv-key sign the csr and then export , re-import it in fortigate.

 

Yes any x509 compatible certificate will work in  a fortigate but the native means of "let's encrypt" make it not a 1 2 3  easy-do  method.

PCNSE 

NSE 

StrongSwan  

View solution in original post

NeilG

The problem with the manual import is that you will be running the manual process probably 5 times a year as letsencrypt issuance is 90days.

"Our certificates are valid for 90 days. You can read about why here."

https://letsencrypt.org/docs/faq/

 

-N

View solution in original post

jtfinley

So here's what I did using a raspberry pi, but can be easily used on other platforms...

 

 

[ol]
  • Install letsencrypt (https://letsencrypt.org/getting-started) on a box with tcp/80, tcp/443 open. (Raspberry Pi - used CertBot)
  • Temporarily point a DNS A or CNAME record of your (Raspberry Pi Box) SSL VPN at the box you're going to run letsencrypt on.
  • Once it pulls dependencies - Run letsencrypt using example below.
  • [ol]
  •  ./certbot-auto certonly --standalone -d vpn.yoursite.com -d [[/ol]
  • Change DNS records if required by pointing your DNS A record back at your SSL VPN IP
  • Grab your pems from /etc/letsencrypt/live/vpn.yoursite.com (cert.pem & privkey.pem) [/ol]

    FortiGate:

    [ol]
  • System -> Config -> Certificates -> Import -> Local Certificate. Set type to Certificate. For certificate choose cert.pem and for key choose privkey.pem

  • VPN -> SSL -> Settings. Change Server Certificate.

  • Repeat process every 90 days
  • Setup CronJob to renew it.[/ol]
  • View solution in original post

    TecnetRuss

    Just updating this thread to mention that ACME/LetsEncrypt functionality is now built into FortiOS 7.0. New Features | FortiGate / FortiOS 7.0.0 | Fortinet Documentation Library Russ NSE7

    View solution in original post

    46 REPLIES 46
    Iescudero
    Contributor II

    Hello!

    The answer is yes! of course you can use any certificate that want, just be carefull how you create the certificate and the CA chain must be present. If the CA is present in the browser's client, then you'll be fine.

     

    Bye!

    Alby23

    I'm talking specifically about Let's Encrypt. It's something different in the way you create the Certificate (and of course the CA us trusted).

    Nils
    Contributor II

    From my understanding, you just need to have a web-server available when you create the certificate to verify ownership of the domain-name/IP. Just create a CSR on the Fortigate first.

    Then you'll get a regular certificate to import at your fortigate..?

     

     

    mhe
    Contributor

    No, I don't think that you can use LE certificates. You need their app on the device to use it. But you can use startssl

    emnoc
    Esteemed Contributor III

    Mhe has it right.

     

    Natively the answer is NO, but you have ways around this. Use a linux bistro build a csr/priv-key sign the csr and then export , re-import it in fortigate.

     

    Yes any x509 compatible certificate will work in  a fortigate but the native means of "let's encrypt" make it not a 1 2 3  easy-do  method.

    PCNSE 

    NSE 

    StrongSwan  

    NeilG

    The problem with the manual import is that you will be running the manual process probably 5 times a year as letsencrypt issuance is 90days.

    "Our certificates are valid for 90 days. You can read about why here."

    https://letsencrypt.org/docs/faq/

     

    -N

    jtfinley

    So here's what I did using a raspberry pi, but can be easily used on other platforms...

     

     

    [ol]
  • Install letsencrypt (https://letsencrypt.org/getting-started) on a box with tcp/80, tcp/443 open. (Raspberry Pi - used CertBot)
  • Temporarily point a DNS A or CNAME record of your (Raspberry Pi Box) SSL VPN at the box you're going to run letsencrypt on.
  • Once it pulls dependencies - Run letsencrypt using example below.
  • [ol]
  •  ./certbot-auto certonly --standalone -d vpn.yoursite.com -d [[/ol]
  • Change DNS records if required by pointing your DNS A record back at your SSL VPN IP
  • Grab your pems from /etc/letsencrypt/live/vpn.yoursite.com (cert.pem & privkey.pem) [/ol]

    FortiGate:

    [ol]
  • System -> Config -> Certificates -> Import -> Local Certificate. Set type to Certificate. For certificate choose cert.pem and for key choose privkey.pem

  • VPN -> SSL -> Settings. Change Server Certificate.

  • Repeat process every 90 days
  • Setup CronJob to renew it.[/ol]
  • emnoc
    Esteemed Contributor III

    The problem with the manual import is that you will be running the manual process probably 5 times a year as letsencrypt issuance is 90days.

     

    Any thing free has limits, restrictions,etc...

     

    i use caCert btw. Interface is small and password recovery is difficult at best some times. You get 6months and be advise most browsers still don't have the cacert chain in trust & you can craft  client certificates no add-on programs or other dependencies just issues and paste a  CSR.

     

     

     

    Ken

    PCNSE 

    NSE 

    StrongSwan  

    BrainWaveCC

    Yes, you can use Let's Encrypt.  For now, you have to do it manually, but I am investigating a way to do it semi-automated and I'll share it if it works.