Description
This article explains how to copy or import/export SSL certificates from one FortiWeb device to another one.
Scope
FortiWeb can copy SSL certificates from a Master to Slave when both units are part of HA cluster.
Solution
Once a SSL certificate is uploaded to the FortiWeb, export the SSL Certificate private key from the GUI of the FortiWeb.
To import/copy the same SSL certificate and private key to another FortiWeb in the environment, two options are available:
1) Obtain the certificate & the private key from the original issuer (this option could be time consuming and sometimes not possible).
2) Use the FortiWeb CLI to copy the SSL certificate and the private key.
Note:
FortiWeb encodes the keys using a specific mechanism to copy from one FortiWeb to another one from the CLI.
It can be only used on a FortiWeb product and can not be used on any other product for security reasons.
To copy SSL certificate and the private key from one FortiWeb to another, follow this process :
1) Login to FortiWeb (device which already has the SSL certificate and key) and use the following command:
# conf sys certificate local
edit lab.fortiweb.com <----- (lab.fortiweb.com is the certificate name).
show
output is shown as below:
# config system certificate local
edit "lab.fortiweb.com"
set certificate "-----BEGIN CERTIFICATE-----
MIIDXDCCAkSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBsYWIu
Zm9ydGl3ZWIuY29tMB4XDTE5MTEwNDA4MTAzOVoXDTI5MTEwNDA4MTAzOVowGzEZ
MBcGA1UEAxMQbGFiLmZvcnRpd2ViLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAJP92MxB9Tdguyfuxys6sTEcZOn/LxJHRt882EPCXQdqnrlL1eF3
L1Dv+d3NJTs6oyJwb/IdoOsre9+HEConoCm4Z8Pr8tO55D0EhmxFTsGyTLAdsXFG
MBsGA1UdEQQUMBKCEGxhYi5mb3J0aXdlYi5jb20wHQYDVR0OBBYEFIFRG1e7cN7F
Pl5h4e4wqhHRJfyuMA0GCSqGSIb3DQEBCwUAA4IBAQAmvCkIoeSZeqFRZeAcV9LO
nGidc3rW+W112Vs5KsR5QNijeYGZCan6TkFuykd3rPydaMh5GckcC5y7yQ7ZezNG
8VWzAhnvP+PEFDjC+uoWi/WEtQBTHOJK3ZVQU+cv+L3rnSQqZhzqEX5mNg7NCi+3
GZmKOSqOlvyft27bKQhpg0PG5XKNUQ5KtTY9JjmBHZJk5scGzKAzCYuhfQRLod+U
+n9kWRkGbDHp0tBO5uRNCy7VyrVEcYi1dNiTdzi9/eF565yUadageXnl6u9NffRE
LRJ5nAK7XR6kz8AfPYkKrtsHYMRDMj/eKSut2fEKoBbazx4aQa8Ev9CINCavFaH1
-----END CERTIFICATE-----"
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
AZBMrUJGOUTVXklvvbbO0a7GOHXNWETHPBveckToOxXIWsJGOHVB/hkREwN3UPts
8lknSsJlYZBl/z0GI7jbTOmRne0Deq85J6Fdhz1E8/vzdTZ7FjUegH/mYtLnO0at
afWuK8OgnObH3/ZKnmM0CNNjKC8FtpmnAjBbSmAMu68q0hWg5az/pDLbvh4HLZ+X
5KubPYv68bTZGiXYLdTLNr+y6GaIalIiT+dqMtsF3VVdUTZY7JPZzdbf6rsLn0Ef
UeKovgD7yPKWlUGMhqHP7VGsw0aBWy07fLcPCUWyXaDVH3PWE9l4U5rnxpDywxMb
nb5KanbRKLdK2bkUqxotOr5mgFAR3REYvKUvgurw1pDxwKMW51G5BK2pCAMRQx6y
f9Zvfxe6BlASTIAGhlSRIj2kUh6Jb7feP62uA8xPm45+YhPdpZ+WASnCnrEzqE6U
v4DvfkUgmSviEQU8gGWBF6dDcmAyWJ1bU6NlU8r9ZdWqMIeGydaGfZv1IMWRuqbV
bRV3L1e7jB3aG/rK/2JmoLuqHNiiySodUAx13/yxPf8LGrPxqREezNqaVuiOou/5
r6IdBBqQLpsXXpkZ15ZeJI5ecG2KNyOQ9m1ENVfMTL8tolBVQY8G1sFKtZWJy/Xy
RWeJLPnGmpSXkRIi1HBoBs54lhCYN/pfbllLWmUPZOqGzfeq/riFE4xDiu9OTQBA
UWtBSLEApgmXR34P1dZ8t7vjpepWaCf56mcjGUn71yBqRQsXC7S4t944PeUOt9RL
Re1e0jQ9hXClM4Q3XNCynBoRiBrfQt4DwDvg4/1LunVMD1TrYfqY5TztvsOClQ27
BKWMUm48yjC2ErFV6bt16FvkYNmjar+MbYLS6OMyOguvFDmyTLmbulRxSNgIZzGb
tpRUCqOQZqeU32UE6/kF8N3waPdYhrWJ0tfLJu2sjHrE7+3urEWg6pO3eFwlNyNb
gSd5Fv4C0SWiL7kpb2vy1IM1cSpqAPuLDw+F1jPzBtURGBoEVf4HcPFMnD2hFhaP
zIgdF+wUkNPE1xVIMFHCyYXUPHjj6CineMQ/crKiL2WDvxOf+8fduOt6HJn4yKrK
EAhcK++OdFnTxnN80L/82Mi0th4pRQIiPwP9xw2vql1gY9HlxUDauqIG9ygKUMHu
OB3Z/03tdmdK3r0L6xiBY+V=
-----END ENCRYPTED PRIVATE KEY-----
"
next
end
Copy the above output to a notepad file.
2) Now login to the second FortiWeb and use the following command:
# config system certificate local
edit lab.fortiweb.com <----- (Choose any name as per the requirements, this name can be customized and is not hard coded with certificate).
Paste the output copied in previous step for certificate including the " " and press enter as shown below:
set certificate "-----BEGIN CERTIFICATE-----
MIIDXDCCAkSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBsYWIu
Zm9ydGl3ZWIuY29tMB4XDTE5MTEwNDA4MTAzOVoXDTI5MTEwNDA4MTAzOVowGzEZ
MBcGA1UEAxMQbGFiLmZvcnRpd2ViLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAJP92MxB9Tdguyfuxys6sTEcZOn/LxJHRt882EPCXQdqnrlL1eF3
L1Dv+d3NJTs6oyJwb/IdoOsre9+HEConoCm4Z8Pr8tO55D0EhmxFTsGyTLAdsXFG
MBsGA1UdEQQUMBKCEGxhYi5mb3J0aXdlYi5jb20wHQYDVR0OBBYEFIFRG1e7cN7F
Pl5h4e4wqhHRJfyuMA0GCSqGSIb3DQEBCwUAA4IBAQAmvCkIoeSZeqFRZeAcV9LO
nGidc3rW+W112Vs5KsR5QNijeYGZCan6TkFuykd3rPydaMh5GckcC5y7yQ7ZezNG
8VWzAhnvP+PEFDjC+uoWi/WEtQBTHOJK3ZVQU+cv+L3rnSQqZhzqEX5mNg7NCi+3
GZmKOSqOlvyft27bKQhpg0PG5XKNUQ5KtTY9JjmBHZJk5scGzKAzCYuhfQRLod+U
+n9kWRkGbDHp0tBO5uRNCy7VyrVEcYi1dNiTdzi9/eF565yUadageXnl6u9NffRE
LRJ5nAK7XR6kz8AfPYkKrtsHYMRDMj/eKSut2fEKoBbazx4aQa8Ev9CINCavFaH1
-----END CERTIFICATE-----"
If there is no error, paste the output copied in previous step for private key including the " ", press enter and enter command end as shown below:
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
AZBMrUJGOUTVXklvvbbO0a7GOHXNWETHPBveckToOxXIWsJGOHVB/hkREwN3UPts
8lknSsJlYZBl/z0GI7jbTOmRne0Deq85J6Fdhz1E8/vzdTZ7FjUegH/mYtLnO0at
afWuK8OgnObH3/ZKnmM0CNNjKC8FtpmnAjBbSmAMu68q0hWg5az/pDLbvh4HLZ+X
5KubPYv68bTZGiXYLdTLNr+y6GaIalIiT+dqMtsF3VVdUTZY7JPZzdbf6rsLn0Ef
UeKovgD7yPKWlUGMhqHP7VGsw0aBWy07fLcPCUWyXaDVH3PWE9l4U5rnxpDywxMb
nb5KanbRKLdK2bkUqxotOr5mgFAR3REYvKUvgurw1pDxwKMW51G5BK2pCAMRQx6y
f9Zvfxe6BlASTIAGhlSRIj2kUh6Jb7feP62uA8xPm45+YhPdpZ+WASnCnrEzqE6U
v4DvfkUgmSviEQU8gGWBF6dDcmAyWJ1bU6NlU8r9ZdWqMIeGydaGfZv1IMWRuqbV
bRV3L1e7jB3aG/rK/2JmoLuqHNiiySodUAx13/yxPf8LGrPxqREezNqaVuiOou/5
r6IdBBqQLpsXXpkZ15ZeJI5ecG2KNyOQ9m1ENVfMTL8tolBVQY8G1sFKtZWJy/Xy
RWeJLPnGmpSXkRIi1HBoBs54lhCYN/pfbllLWmUPZOqGzfeq/riFE4xDiu9OTQBA
UWtBSLEApgmXR34P1dZ8t7vjpepWaCf56mcjGUn71yBqRQsXC7S4t944PeUOt9RL
Re1e0jQ9hXClM4Q3XNCynBoRiBrfQt4DwDvg4/1LunVMD1TrYfqY5TztvsOClQ27
BKWMUm48yjC2ErFV6bt16FvkYNmjar+MbYLS6OMyOguvFDmyTLmbulRxSNgIZzGb
tpRUCqOQZqeU32UE6/kF8N3waPdYhrWJ0tfLJu2sjHrE7+3urEWg6pO3eFwlNyNb
gSd5Fv4C0SWiL7kpb2vy1IM1cSpqAPuLDw+F1jPzBtURGBoEVf4HcPFMnD2hFhaP
zIgdF+wUkNPE1xVIMFHCyYXUPHjj6CineMQ/crKiL2WDvxOf+8fduOt6HJn4yKrK
EAhcK++OdFnTxnN80L/82Mi0th4pRQIiPwP9xw2vql1gY9HlxUDauqIG9ygKUMHu
OB3Z/03tdmdK3r0L6xiBY+V=
-----END ENCRYPTED PRIVATE KEY-----
"
end
3) This will successfully copy the certificate from one FortiWeb to Another.
Same can be verified from the GUI by going to: System -> Certificates -> Local or in CLI by running following command:
# config system certificate local
show
