Hot!Import Wildcard certificate into Fortigate 200D

Author
Aies
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/11/13 01:22:40
  • Status: offline
2016/12/05 07:10:30 (permalink)
0

Import Wildcard certificate into Fortigate 200D

Hello everyone 
 
I am currently trying to make my new Wildcard certificate work on my Fortigate 200D cluster. The import of the root bundle and the cert and private key is working as far as I can tell, but I still run into a problem with my certificate chain. 
 
My firmware is: FortiOS 5.2.9
 
What I have done so far: 
1) Created a CSR from a Windows IIS server, had a CA sign it and complete the certificate request on the IIS server.
2) Exported the cert with private key into a .pfx file.
3) Split the .pfx file into two files, cert.crt and privatekey.key
4) Imported the cert.crt and privatekey.key files into the Fortigate using GUI (Global > Certificates > Import > Local Certificate. Choose type "Certificate" and pointed at my cert.crt and privatekey.key files. 
5) Imported the root bundle into the Fortigate using GUI (Global > Certificates > Import > CA Certificate. Choose "Local PC" and pointed at my root bundle .crt file. 
6) The Fortigate accepts both the cert.crt/privatekey.key and the root bundle. 
7) Selected the newly imported certificate for the SSL portal (Virtual Domains > root > VPN > SSL > Settings. Selected the certificate in "Server certificate"
 
When I browser to my ssl vpn site (https://vpn.mydomain.com) I do see the new certificate.
 
But when I test using different ssl checker sites they all report about chain issues.
 
I followed this guide for importing the CA bundle: http://docs.fortinet.com/uploaded/files/2337/How-To-Buy-&-Import-SSL-Certificate%20-%209.pdf 
 
I followed this guide for spliting and importing the certificate: https://stuff.purdon.ca/?page_id=83 
 
Does anyone have any idea on how to solve the chain issues when using a public signed certificate on the Fortigates?
 
Thanks in advance! 
Regards Anders
#1
HA
Gold Member
  • Total Posts : 149
  • Scores: 6
  • Reward points: 0
  • Joined: 2010/09/19 07:10:45
  • Location: Luxembourg
  • Status: offline
Re: Import Wildcard certificate into Fortigate 200D 2016/12/05 07:53:28 (permalink)
0
Hi,
 
Import all authority (root, subordonate, etc) certificate (so the chain) into the FGT.
I did it for OWA (Offloading + LB) on FGT100D and it works fine (now warning with qualys SSL check).
 
Regards,
 
HA
#2
Aies
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/11/13 01:22:40
  • Status: offline
Re: Import Wildcard certificate into Fortigate 200D 2016/12/07 23:14:33 (permalink)
0
Hi HA 
 
I imported the root cert, the intermediate cert and the certificate into the Fortigate. The root cert and intermediate cert I got from the CA which signed my certificate. 
The Fortigate also accepts all the files and I am able to browse my SSLVPN site without getting a warning but when I check the chain using an SSL chain checker I shows the chain as broken.
 
In what order did you upload the certificates? Does this mean anything for the Fortigate?
 
My error:

#3
konstantin.t@ravnaqbank.uz
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/02/07 22:28:24
  • Status: offline
Re: Import Wildcard certificate into Fortigate 200D 2019/02/07 22:29:47 (permalink)
0
hi, i have the same problem, How did you solve the problem?
#4
konstantin.t@ravnaqbank.uz
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/02/07 22:28:24
  • Status: offline
Re: Import Wildcard certificate into Fortigate 200D 2019/02/07 23:43:15 (permalink)
0
okay, i have solved my problem. I added in to body of my certificate COMODORSADomainValidationSecureServerCA.crt and AddTrustExternalCARoot.crt
#5
Jump to:
© 2019 APG vNext Commercial Version 5.5