Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssriswadpong
Staff
Staff

Created on ‎05-31-2021 02:05 AM

Article Id 192999

Technical Tip: How to import a new local certificate after renewing the existing local certificate without the private key

Description
    This article describes how to import a new local certificate after renewing the existing local certificate by third party (such as GoDaddy) but without the private key.

    In this example, assume that the new certificate is generated from third party and the third party certificate server used the same private key that have been used for generating the existing certificate.

Solution

1) Show the existing certificate detail by show full vpn certificate local <certificate name>.

FortiGate # show full-configuration vpn certificate local OldCertificate

# config vpn certificate local

    edit "OldCertificate"

        set password ENC w1n0MtV3gH/VRsZdJXBg9aad5I4ng7vQlica3DxPxLuBxxgyp+8rb1CHYjqG4CiVVjON7DaSDSnt/eQLDekSOzniswfZJ6uiweYjwsg3peIX0ceKRE/nU4AY/eAFh8vRNGlybaL+848PEtIyMtPtN4Lkmmb2IyGeLS8KkKmdLqjPaLM8cJZup81O+gPGvFTy/k8LTw==

        set comments ''

        set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----

MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIvMDdxmHgiIoCAggA

MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECJmLmZycbhgeBIIEyA/vYCH2xO2f

……………………………………………………………………………………….

……………………………………………………………………………………….

qC2x6S8DxXf7B7pfn32Tueu7si8bn1daYf37LCFZUJISrSgBLoSJ6rjAAPIrWHB7

3VBiCR3tQUe0C+yYfh9zvQ==

-----END ENCRYPTED PRIVATE KEY-----"

        set certificate "-----BEGIN CERTIFICATE-----

MIIFQTCCBCmgAwIBAgITSAAAAAI4aZeP8ZjX1wAAAAAAAjANBgkqhkiG9w0BAQsF

ADBUMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghXaW4t

……………………………………………………………………………………….

……………………………………………………………………………………….

nKQo0fGHU0NAi0sDiTF9HpsEoj2WhBT3vVNp5sKwyWHztvcbOAOBUgIwvRz07H29

9865Gag=

-----END CERTIFICATE-----"

        set range global

        set source user

        set source-ip 0.0.0.0

        set ike-localid-type asn1dn

        set enroll-protocol none

    next

end

2) Copy 'set password ENC ....... ' and 'set private-key ........ ' as yellow highlight
3) Create a new certificate then paste password and private-key from 2).

# config vpn certificate local
     edit <new certificate name>
         set password ENC <paste here>
         set private-key <paste here>

4) Then open the new certificate with text editor such as Notepad and copy certificate text start from -----BEGIN ENCRYPTED PRIVATE KEY----- to -----END CERTIFICATE----- then paste the new certificate.

set certificate '<paste here>'
end


After that, check on the local certificate on WebGUI->System->Certificates to see the new certificate. 

If the Certificates menu is not available, enable Certificate on Feature Visibility first WebGUI ->Additional Features ->Certificates.


1870
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.