DescriptionThis article provides steps to export the SSL certificate and private key from the appliance. This is useful when the certificate and private key are needed for use on another appliance, however, the certificate files are no longer available.
SolutionExecute the following commands to extract the Private Key and Certificate from the Java KeyStore (JKS). The resulting certificate file (cert.pem) and private key file (key.pem) can then be used to import to another appliance.
1. Log into the appliance CLI as root.
2. Export from the JKS to PKCS #12 from the desired target whose certificate is going to be copied (srcalias).
srcalias value options:
tomcat = Admin UI
agent = Persistent Agent
portal = Captive Portal
The following example exports from the Admin UI target:
keytool -importkeystore -srckeystore /bsc/campusMgr/.keystore -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias tomcat -deststorepass bradford -destkeypass bradford
3. Enter ^8Bradford%23 at the prompt
4. Export certificate from the new keystore.p12 (password bradford):
openssl pkcs12 -in keystore.p12 -nokeys -out cert.pem
5. Export unencrypted private key:
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem
Import the cert.pem and key.pem files to the desired appliance. This can be done through the Administration UI. For instructions see "Upload the certificate" under section Certificate management of the Administration Guide:
8.x: https://docs.fortinet.com/document/fortinac/8.8.0/administration-guide/966318/certificate-management
9.x: https://docs.fortinet.com/document/fortinac/9.1.0/administration-guide/966318/certificate-management
Contact Support for assistance.
