Backing up and restoring local certificates
The FortiGate unit provides a way to export and import a server certificate and the FortiGate unit’s personal key through the CLI. If required (to restore the FortiGate unit configuration), you can import the exported file through the System > Certificates page of the web-based manager.
As an alternative, you can back up and restore the entire FortiGate configuration through the System Information widget on the Dashboard of the web-based man- ager. Look for [Backup] and [Restore] in the System Configuration row. The backup file is created in a FortiGate-proprietary format.
To export a server certificate and private key – CLI:
This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible to the FortiGate unit before you enter the command.
1. Connect to the FortiGate unit through the CLI.
2. Type the following command:
where:
execute vpn certificate local export tftp <cert_name> <exp_filename> <tftp_ip>
<password>
- <cert_name> is the name of the server certificate; typing ? displays a list of installed server certificates.
- <exp_filename> is a name for the output file.
- <tftp_ip> is the IP address assigned to the TFTP server host interface.
3. Move the output file from the TFTP server location to the management computer for future reference.
To import a server certificate and private key – web-based manager:
1. Go to System > Certificates and select Import.
2. In Type, select PKCS12 Certificate.
3. Select Browse. Browse to the location on the management computer where the exported file has been saved, select the file, and then select Open.
4. In the Password field, type the password needed to upload the exported file.
5. Select OK, and then select Return.
To import separate server certificate and private key files – web-based manager
Use the following procedure to import a server certificate and the associated private key file when the server certificate request and private key were not generated by the FortiGate unit. The two files to import must be available on the management computer.
1. Go to System > Certificates and select Import.
2. In Type, select Certificate.
3. Select the Browse button beside the Certificate file field. Browse to the location on the management computer where the certificate file has been saved, select the file, and then select Open.
4. Select the Browse button beside the Key file field. Browse to the location on the management computer where the key file has been saved, select the file, and then select Open.
5. If required, in the Password field, type the associated password, and then select OK.
6. Select Return.
Hi Mike,
how can I request (first time) certificate from scep server, I want to set up an ipsec tunnel between fortigates with certificates.
Maybe you have some cli commands / recommendations for me ? thanks
Piccolo,
You are wanting the FortiGate to request the cert for authentication and authorization purposes? Or do you want to generate a cert on the SCEP server in order to setup the tunnel later?
Hi,
i would like that the fortigate unit requests the certificate from the scep server.
Cert is used for the ipsec tunnel (site2site)
thanks
Piccolo,
Are you still running 5.2.x code?
HI,
I am running 5.4.1, thanks
Piccolo,
If you check out THIS LINK HERE and go to page 702 you will see where you can set these settings to your liking. Let me know if you have any questions or concerns!
thanks, I will try it the next day and will keep you up2date.
Regards
Thanks so much Piccolo! I look forward to hearing if you were able to solve your problem. If not, let me know what snags you hit and we can figure something out!
cool, 10 virtual beers for your patience
Hi Mike ,
got it working with a microsoft 2012r2 enterprise ca with Network Device Enrollment Services with no issues
Do you know what happens with a ipsec tunnel with certificates if the crl is not valid and the unit can not retrieve the crl ?
can i manually install the certificate, and then make the renewal of the certificate with scep ?
have you seen ipsec site2sites deployments with certificates ? any doubt ?
Thanks
Piccolo,
I’m not sure on some of your questions so I have reached out to my engineer @ Fortinet. Most site 2 site deployments of VPN’s I have seen are without certificates. They usually utilize a pre-shared key.
what has priority with the crl download ?
http or scep.
if scep is not avaiable, will it then try scep or vice versa ?
thanks
Hi Mike,
got OCSP with Microsoft Ca working
for SCEP Certificate renewals I have followed this link http://www.petenetlive.com/KB/Article/0000947
-Piccolo
Awesome! That makes me happy to hear!
Fortinet SE was telling me they can’t use https only http. Did you get https to work?