FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jmacdonaldplante
Article Id 195567

Description

While the FortiOS does have an option for importing PKCS#12 formatted certificates, there are scenarios in which FortiOS will claim that the file is an invalid certificate. An example would be Certificate PFX files exported from Windows Active Directory Certificate Services (AD CS).


Solution

To resolve this issue, openSSL can be used to split the PKCS#12 certificate into its corresponding public certificate and private key.

To do this you will need:
- openSSL.
- The password for the PKCS#12 certificate.
- If your PKCS#12 certificate is base64 encoded (Cisco appliances do this by default) you will first need to decode it with the openSSL. Base64 encoded PKCS#12 certificates will contain the header "-----BEGIN PKCS#12-----" and the footer "-----END PKCS#12-----". To decode it, use the following openSSL command:
openssl base64 /path/to/PKCS12.pfx -d -out decodedPKCS12.pfx
openSSL can downloaded from:

Once you have the openSSL BIN files you can proceed to run the following commands from the BIN folder:
cd /path/to/openSSL/BIN
openssl pkcs12 -in /path/to/PKCS12.pfx -nocerts -out privatekey.pem
openssl pkcs12 -in /path/to/PKCS12.pfx -clcerts -nokeys -out publiccert.pem
Notes:
1) The first command will request the password that was used to encrypt the PKCS#12 certificate. It will then request and confirm a new password to encrypt the private key file, privatekey.pem.
2) The second command will request the password that was used to encrypt the PKCS#12 certificate.

Depending on your local setup, the output will either go to your working directory or to a temporary location. If it is going to a temporary location, change the -out <option> to a full file path, for example: C:\gnuwin32\openssl\bin\privatekey.pem.

Once you have the two files you would have two ways of importing the Certificate into FortiOS.

Method 1 - GUI Import

For this method you will first need to enable the Certificates GUI menu. To do this, navigate to System > Config > Features. Expand "Show More" and turn the Certificates option on and select "Apply".

Note: In FortiOS 5.0, the name the certificate will have in the configuration will be the name of the public certificate file. Please change this name prior to importing to one that is relevant for the configuration.
  • Navigate to System > Certificates > Local Certificates and select "Import" (In FortiOS 5.2.3 or later the path is simply System > Certificates. When selecting "Import" a drop down will present options for Local Certificate, Remote Certificate, CA Certificate, and CRL. For this article we will be using Local Certificate).
  • Select the third option for Type, Certificate.
  • There should be 3 options; Certificate File, Key File, and Password. For each file, browse to and select the corresponding files created with openSSL. For the password, enter the password that was set on the private key.
  • In FortiOS 5.2 GA and later, after selecting the certificate file you will receive a fourth option for "Certificate Name". This will be the name used in the configuration to reference the certificate. In FortiOS 5.0, this does not occur so the name of the file should be manually changed prior to the import
  • Select "OK". You should receive a notice stating whether the certificate import was successful. Reloading the Certificates menu should show the new certificate listed with the name provided and a status of "OK"

Method 2 - CLI Manual Input

For this method you will only need CLI access to the FortiGate and a text editor.
  • Connect to the system's CLI and run the following (where <certificate_name> is the name you wish the certificate to appear as in the configuration and <password> is the password set on the private key file):
# config vpn certificate local
# edit <certificate_name>
# set password <password>
  • Open the private key file and copy all the text between and including; "-----BEGIN RSA PRIVATE KEY-----" and "-----END RSA PRIVATE KEY-----". Be sure to include the 5 dashes to precede this text and the 5 dashes at the end. If there are spaces before or after this text, it will fail.
  • Run the following command, pasting in the text from the private key file (The text below is an example only and the quotations are necessary for the multi-line input):
# set private-key "-----BEGIN RSA PRIVATE KEY----- > Proc-Type: 4,ENCRYPTED >DEK-Info: DES-EDE3-CBC, 97FB187A17FB2A21 > > ExWw0pu1n1aLkr0hlAdVYBEVAI4ul97eN+RMvfZBewf4R7gzFbub73IQbJH97uaV > [omitted for brevity] > dRiTopwLDU5MitWJCiKefRqFBRP9w9vc6BKVMYQgUWIr2Wbl1m7nYAWFeQjjUwcO > -----END RSA PRIVATE KEY-----"    Open the public certificate file and copy all the text between and including; "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
  • Be sure to include the 5 dashes to precede this text and the 5 dashes at the end. If there are spaces before or after this text, it will fail.
  • Run the following command, pasting in the text from the public certificate file (The text below is an example only and the quotations are necessary for the multi-line input):
    # set certificate "-----BEGIN CERTIFICATE----- > MIIF9zCCBN+gAwIBAgIKHthk+wAAAAAAODANBgkqhkiG9w0BAQ0FADBOMRUwEwYK > [omitted for brevity] > l4f6vg0QjmOb2vk7of7QXuK0EffqaPHZidjix4YW4gLY5Qy8v8DOxKi/kw== > -----END CERTIFICATE-----"
  • If no errors are received after entering any of the above details, then the certificate has been manually entered correctly. Run the command "# end" to finalize changes.
  • The certificate can be viewed in the GUI under System > Certificates or in the CLI with the following command:
# config vpn certificate local
# show full
 

 

Contributors