3rd party HTTPS certificates for the admin interface?

fortinet0718 · ‎08-15-2013

Has anyone been able to install 3rd-party HTTPs certificates on FAZ 5.0? I think I see where to install them (System Settings -> Certificates -> Local Certificates), but no file format that I' ve tried seems to work (.pem, .p12, etc.) The documentation in the manuals (particularly v5.0 manuals) is anything but clear as to what is accepted as a certificate format, or if 3rd-party certs are even acceptable. FWIW: I have a wildcard SSL cert that I' d like to use -- that' s why I don' t care to jump through the hoops of generating a CSR, get it signed, and then import that back in. Thanks,

thrawnos · ‎08-16-2013

Hi, can be configured over the cli: config system certificate local edit a new certificate and copy and paste key and certificate in the cli. However, this leads to the next problem I also have now: where to change the default https certificate. This can also not be done over the admin gui, and I did not found a way on the cli. Good luck!

michellem812 · ‎10-07-2014

I think this is what I need too....I have a .pfx file for my wildcard SSL cert that I exported from my primary domain server and I' m not quite sure on how to get the wildcard cert from my primary domain server to use on the FAZ. Any ideas?

fortinet0718 · ‎10-07-2014

Michellem812, You' ll have to " break the .pfx file apart" . I do this with OpenSSL. Once you have the SSL private key in a file that looks like (the contents will differ from what I have here): -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,01dea01dea01dea0 Base64/Mime-encodedblockThatGoesForANumberOfLines+About25Lines forMyCurrentKey+Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbF ... j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz -----END RSA PRIVATE KEY----- As well as the signed certificate in a similar file that looks like: -----BEGIN CERTIFICATE----- MIIFRjCCBC6gAwIBAgIQDGytvGNkU2vBnSE8dqwG1zANBgkqhkiG9w0BAQsFADBN ... J7pyum1ogx7j6A== -----END CERTIFICATE----- Then you are ready to use the CLI to add the cert. Here is the rough outline of what that looks like: FortiAnalyzer-200D # config system certificate local (local)# edit " My3rdPartySSLCertname" (My3rdPartySSLCertname)# set password MYSECRETPASSWORD (My3rdPartySSLCertname)# set private-key " -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,01dea01dea01dea0 ... lots of lines here ... -----END RSA PRIVATE KEY-----" (My3rdPartySSLCertname)# set certificate " -----BEGIN CERTIFICATE----- MIIFRjCCBC6gAwIBAgIQDGytvGNkU2vBnSE8dqwG1zANBgkqhkiG9w0BAQsFADBN ... lots of lines here ... -----END CERTIFICATE-----" (My3rdPartySSLCertname )# end FortiAnalyzer-200D # exit

fortinet0718 · ‎08-19-2013

Thrawnos, That did the trick for me, thanks! I was able to get the appliance to use the SSL cert for the HTTPS interface using the GUI. In the CLI, I made a cert like you advised: config system certificate local edit " MyCert" ... end Then in the GUI, I logged in as a Super_User, and went to: System Settings -> Admin (expand it) -> Admin Settings -> In the " HTTPS & Web Service Server Certificate" drop-down, my " MyCert" certficate was an option. I selected it, clicked " Apply" , waited a few minutes, logged out and back in, and my certificate was being used! Thanks again,

michellem812 · ‎10-10-2014

Perfect! Thanks! I used https://stuff.purdon.ca/?page_id=83 to get the OpenSSL and break my pfx out to a text file that I could use, copied it in to the appropriate places in the CLI commands you listed, and set the Admin GUI to use it. It works - thanks so much!!