Hot!FortiGate : SSL Certification Private Key Export

Author
harith7
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/14 07:06:54
  • Status: offline
2017/11/14 07:11:07 (permalink) 5.4
0

FortiGate : SSL Certification Private Key Export

Hello Everyone,
 
This is probably a common issue, but it's kind of urgent.
 
I configured a CSR from Fortigate to purchase an SSL Certificate.
 
All good so far, i managed to install the certificate. But i want to use it in other servers, so i need the private key.
 
Throught CLI, i found the private key but it's encrypted. the commande "unset password" doesnt work apparently in the 5.4 FortiOS.
 
What are my options ? can i export the certificate/key in another Fortigate (4.0 ?) and try to unset the password ? any other solution ? 
 
Thank's  
#1

10 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5366
    • Scores: 351
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: FortiGate : SSL Certification Private Key Export 2017/11/14 08:59:44 (permalink)
    0
    You need to use the show full command
     
    cli
    show full config vpn cert local
    It should show the certificate  PEM format and KEY. Just copy out the cert+key and use openssl to check modulus if you want to be sure it's correct
     
     
    e.g
     
    openssl  x509 -in <certfile> -noout -modulus | openssl md5
    openssl  rsa -in <privkeyfile> -noout -modulus | openssl md5
     
    You could also use sha1
     
     
    openssl  x509 -in <certfile> -noout -modulus | openssl sha1
    openssl  rsa -in <privkeyfile> -noout -modulus | openssl sha1
     
     
    If the values matches, than  cert+key are a matching pair. if you want to build a pfx
     
     
    openssl  pkcs12 -export -in <certfile> -inkey <keyfile> -out  mynew.pfx
     
     
    ;)
     
    Ken
     
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #2
    harith7
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/11/14 07:06:54
    • Status: offline
    Re: FortiGate : SSL Certification Private Key Export 2017/11/14 09:09:18 (permalink)
    0
    Thank's for your reply.
     
    When i show the full-conf vpn cert local, i got this (it's not the full syntax, just the preview):
     
    edit "portail alamana"
            set password ENC K1GqerTVAukDMIEgsSEYsjD59ziQU766Jue4Em9J7tVWFRh5+CbfA.....
            set comments ''
            set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
    MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIlsbBHVI02KACAggA
    MBQGCCqGSIb3DQMHBAjvMDKXJmmMEQSCBMhQ0P7hOK2McnBExDGrIJiHdBgfCa6h
    dHNKDJUeMIT9nVirYq5+56Nr64SXigPOJIaxEsOaFD05TuJouFWhtmWGqmAI8y8Y
    u1dQy9r+8+wrzJs5yrtqupuwMj9/MWtZQSdHTyoDD/DJIT7537vUXAUryZUDnpms
    VhLwrQJWixD/piKWoeDWpT6u79lHHRh8kmN3qiaEK8+cYQ15jOCi9/AmOWPAzieJ
    --More--          0MyurtJMGGjNuD+/9zkAcwKMI
     
    The private key is apparently Encrypted. Will it work with Openssl ? even without the decrypted password ?
     
    #3
    jdecker91
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/10 12:50:14
    • Status: offline
    Re: FortiGate : SSL Certification Private Key Export 2019/07/10 12:54:38 (permalink)
    0
    Hello,
        I'm curious if you had ever found a solution to this? I am running into the same issue when trying to unset the password running FortiOS 6.0.5
    #4
    wkana
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/26 05:27:36
    • Status: offline
    Re: FortiGate : SSL Certification Private Key Export 2019/09/23 07:56:24 (permalink)
    0
    Hi jdecker91,
     
    Did you ever find a solution to this?
     
    Bill
    #5
    emnoc
    Expert Member
    • Total Posts : 5366
    • Scores: 351
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: FortiGate : SSL Certification Private Key Export 2019/09/23 10:46:12 (permalink)
    0
    Did you try the cli cmd "export vpn certificate local" ? You will need to set p12 format and have a tftp-server 
     
    https://kb.fortinet.com/kb/documentLink.do?externalID=FD44134
     
    Ken Felix
    post edited by emnoc - 2019/09/23 10:50:53

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #6
    wkana
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/26 05:27:36
    • Status: offline
    Re: FortiGate : SSL Certification Private Key Export 2019/09/23 10:59:16 (permalink)
    0
    Hi emnoc,
     
    Not yet, but was researching just that. Yes, have a tftp-server, although my initial cert was not p12. Is that format required when exporting/importing into another Fortigate? Or is that just best practice as the PKCS#12 format is password protected?
     
    We are running 6.0.x if that matters.
     
    Thanks for replying,
     
    W_k
    #7
    wkana
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/26 05:27:36
    • Status: offline
    Re: FortiGate : SSL Certification Private Key Export 2019/09/23 11:01:50 (permalink)
    0
    Also, found this http://stuff.purdon.ca/?page_id=233 but am unsure if it applies as the "unset password" cmd, after research, has not been 100% effective. 
     
    #8
    wkana
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/26 05:27:36
    • Status: offline
    Re: FortiGate : SSL Certification Private Key Export 2019/09/23 11:09:14 (permalink)
    0
    emnoc,
     
    The procedure you posted describes importing the cert to a windows server. My requirement is to export/import to another Fortigate 100e. Is the process still the same?
     
    Thank you,
     
    W_k
     
    #9
    emnoc
    Expert Member
    • Total Posts : 5366
    • Scores: 351
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: FortiGate : SSL Certification Private Key Export 2019/09/23 14:37:39 (permalink)
    0
    read the link  but again 
     
    https://kb.fortinet.com/kb/documentLink.do?externalID=FD44134
     
     
    # cert.p12  is the file name on my tftp-server
     
    FWF60D (global) # execute vpn  certificate local export tftp letscrptp12 cert.p12 192.168.1.112
    #
    Done.

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #10
    sw2090
    Gold Member
    • Total Posts : 468
    • Scores: 23
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: FortiGate : SSL Certification Private Key Export 2019/09/24 07:34:51 (permalink)
    0
    yes you will need to create a cert bundle as you cannot import a key into a FGT :)
    And yes private and public key as well as the certificate itself are encrypted and that's what they should be.
    You might need to know the password if you want to use the private key if it is password encrypted.
    And this is the only caveat here too! Private/public key and cert encryption is not Fortinet-specific. This is defined by ssl. But the encryption of you stored password is! So you might need to put the FGT you want to import that to to the same firmware version as you other one is band then upgrade follwoing upgrade path if neccessary. This is because Fortinet (prolly several times) made changes in the password encryption algorithms.
     
    #11
    Jump to:
    © 2019 APG vNext Commercial Version 5.5