FortiGate : SSL Certification Private Key Export

harith7 · ‎11-14-2017

Hello Everyone,

This is probably a common issue, but it's kind of urgent.

I configured a CSR from Fortigate to purchase an SSL Certificate.

All good so far, i managed to install the certificate. But i want to use it in other servers, so i need the private key.

Throught CLI, i found the private key but it's encrypted. the commande "unset password" doesnt work apparently in the 5.4 FortiOS.

What are my options ? can i export the certificate/key in another Fortigate (4.0 ?) and try to unset the password ? any other solution ?

Thank's

emnoc · ‎11-14-2017

You need to use the show full command

cli

show full config vpn cert local

It should show the certificate PEM format and KEY. Just copy out the cert+key and use openssl to check modulus if you want to be sure it's correct

e.g

openssl x509 -in <certfile> -noout -modulus | openssl md5

openssl rsa -in <privkeyfile> -noout -modulus | openssl md5

You could also use sha1

openssl x509 -in <certfile> -noout -modulus | openssl sha1

openssl rsa -in <privkeyfile> -noout -modulus | openssl sha1

If the values matches, than cert+key are a matching pair. if you want to build a pfx

openssl pkcs12 -export -in <certfile> -inkey <keyfile> -out mynew.pfx

;)

Ken

PCNSE

NSE

StrongSwan

harith7 · ‎11-14-2017

Thank's for your reply.

When i show the full-conf vpn cert local, i got this (it's not the full syntax, just the preview):

edit "portail alamana"

        set password ENC K1GqerTVAukDMIEgsSEYsjD59ziQU766Jue4Em9J7tVWFRh5+CbfA.....

        set comments ''

        set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----

MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIlsbBHVI02KACAggA

MBQGCCqGSIb3DQMHBAjvMDKXJmmMEQSCBMhQ0P7hOK2McnBExDGrIJiHdBgfCa6h

dHNKDJUeMIT9nVirYq5+56Nr64SXigPOJIaxEsOaFD05TuJouFWhtmWGqmAI8y8Y

u1dQy9r+8+wrzJs5yrtqupuwMj9/MWtZQSdHTyoDD/DJIT7537vUXAUryZUDnpms

VhLwrQJWixD/piKWoeDWpT6u79lHHRh8kmN3qiaEK8+cYQ15jOCi9/AmOWPAzieJ

--More--          0MyurtJMGGjNuD+/9zkAcwKMI

The private key is apparently Encrypted. Will it work with Openssl ? even without the decrypted password ?

jdecker91 · ‎07-10-2019

Hello,

I'm curious if you had ever found a solution to this? I am running into the same issue when trying to unset the password running FortiOS 6.0.5

wkana · ‎09-23-2019

Hi jdecker91,

Did you ever find a solution to this?

Bill

emnoc · ‎09-23-2019

Did you try the cli cmd "export vpn certificate local" ? You will need to set p12 format and have a tftp-server

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44134

Ken Felix

PCNSE

NSE

StrongSwan

wkana · ‎09-23-2019

Hi emnoc,

Not yet, but was researching just that. Yes, have a tftp-server, although my initial cert was not p12. Is that format required when exporting/importing into another Fortigate? Or is that just best practice as the PKCS#12 format is password protected?

We are running 6.0.x if that matters.

Thanks for replying,

W_k

wkana · ‎09-23-2019

Also, found this http://stuff.purdon.ca/?page_id=233 but am unsure if it applies as the "unset password" cmd, after research, has not been 100% effective.

wkana · ‎09-23-2019

emnoc,

The procedure you posted describes importing the cert to a windows server. My requirement is to export/import to another Fortigate 100e. Is the process still the same?

Thank you,

W_k

emnoc · ‎09-23-2019

read the link but again

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44134

# cert.p12 is the file name on my tftp-server

FWF60D (global) # execute vpn certificate local export tftp letscrptp12 cert.p12 192.168.1.112

#

Done.

PCNSE

NSE

StrongSwan