Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Aies
New Contributor II

Import Wildcard certificate into Fortigate 200D

Hello everyone 

 

I am currently trying to make my new Wildcard certificate work on my Fortigate 200D cluster. The import of the root bundle and the cert and private key is working as far as I can tell, but I still run into a problem with my certificate chain. 

 

My firmware is: FortiOS 5.2.9

 

What I have done so far: 

1) Created a CSR from a Windows IIS server, had a CA sign it and complete the certificate request on the IIS server.

2) Exported the cert with private key into a .pfx file.

3) Split the .pfx file into two files, cert.crt and privatekey.key

4) Imported the cert.crt and privatekey.key files into the Fortigate using GUI (Global > Certificates > Import > Local Certificate. Choose type "Certificate" and pointed at my cert.crt and privatekey.key files. 

5) Imported the root bundle into the Fortigate using GUI (Global > Certificates > Import > CA Certificate. Choose "Local PC" and pointed at my root bundle .crt file. 

6) The Fortigate accepts both the cert.crt/privatekey.key and the root bundle. 

7) Selected the newly imported certificate for the SSL portal (Virtual Domains > root > VPN > SSL > Settings. Selected the certificate in "Server certificate"

 

When I browser to my ssl vpn site ([link]https://vpn.mydomain.com)[/link] I do see the new certificate.

 

But when I test using different ssl checker sites they all report about chain issues.

 

I followed this guide for importing the CA bundle: http://docs.fortinet.com/uploaded/files/2337/How-To-Buy-&-Import-SSL-Certificate%20-%209.pdf 

 

I followed this guide for spliting and importing the certificate: https://stuff.purdon.ca/?page_id=83 

 

Does anyone have any idea on how to solve the chain issues when using a public signed certificate on the Fortigates?

 

Thanks in advance! 

Regards Anders

4 REPLIES 4
HA
Contributor

Hi,

 

Import all authority (root, subordonate, etc) certificate (so the chain) into the FGT.

I did it for OWA (Offloading + LB) on FGT100D and it works fine (now warning with qualys SSL check).

 

Regards,

 

HA

Aies
New Contributor II

Hi HA 

 

I imported the root cert, the intermediate cert and the certificate into the Fortigate. The root cert and intermediate cert I got from the CA which signed my certificate. 

The Fortigate also accepts all the files and I am able to browse my SSLVPN site without getting a warning but when I check the chain using an SSL chain checker I shows the chain as broken.

 

In what order did you upload the certificates? Does this mean anything for the Fortigate?

 

My error:

konstantin_t

hi, i have the same problem, How did you solve the problem?

konstantin_t

okay, i have solved my problem. I added in to body of my certificate COMODORSADomainValidationSecureServerCA.crt and AddTrustExternalCARoot.crt

Labels
Top Kudoed Authors