Fortinet white logo
Fortinet white logo

Cookbook

Provision a trusted certificate with Let's Encrypt

Provision a trusted certificate with Let's Encrypt

Let's Encrypt can be used to generate a free, trusted certificate that can be used by FortiGate to establish valid SSL connections that do not generate certificate warnings. See the Let's Encrypt documentation for more information and different methods of generating a trusted certificate.

Note

Let's Encrypt certificates have 90 day lifespans. They recommend replacing the certificate every 60 days.

The main requirements for using Let's Encrypt are:

  • An FQDN that is publicly resolvable to an IP address that you own.

  • Proof of ownership of the domain.

  • An application that uses Automatic Certificate Management Environment (ACME) to generate the certificate.

Tooltip

Fortinet has a dynamic DNS service that you can use if you do not have your own domain. See DDNS for more information.

This example uses Certbot to satisfy proof of ownership and generation of the certificate. It is an ACME client with a built-in, temporary webserver used for proof of domain ownership. Follow the instructions on the Certbot website to install the correct version in your Linux environment; this example uses Debian.

The Certbot application must be reachable by Let's Encrypt on TCP port 80 on the IP address that your FQDN resolves to.

Configure your FortiGate to reach the Linux environment

You can use a VIP to forward requests to your Linux environment on port 80. In this example, the Linux environment has the IP address 10.100.80.200.

To create a VIP to forward requests to your Linux environment on port 80 in the GUI:
  1. Go to Policy & Objects > Virtual IPs and click Create New > Virtual IP.
  2. Enter a name for the VIP and set the interface.
  3. Set the Mapped IP address/range to the IP address of the Linux environment, in this case 10.100.80.20.
  4. Enable Port Forwarding, set Protocol to TCP, and set External service port and Map to port to 80.

  5. Click OK.
To add the VIP to a policy to allow traffic to reach your Linux environment in the GUI:
  1. Go to Policy & Objects > IPv4 Policy and click Create New.
  2. Set Incoming Interface to the interface used in the VIP.
  3. Set Destination to the VIP, in this example: Linux VM.
  4. Configure the remaining settings as required.

  5. Click OK.
To create a VIP and add it to a policy in the CLI:
config firewall vip
    edit "Linux VM"
        set mappedip "10.100.80.200"
        set extintf "wan1"
        set portforward enable
        set extport 80
        set mappedport 80
    next
end
config firewall policy
    edit 2
        set name "To_Linux_VM"
        set srcintf "wan1"
        set dstintf "internal5"
        set srcaddr "all"
        set dstaddr "Linux VM"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end

Create and upload the certificate

To manually request a certificate:
  1. In the Linux command line enter:
    certbot certonly
    How would you like to authenticate with the ACME CA?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    1: Spin up a temporary webserver (standalone)
    2: Place files in webroot directory (webroot)
  2. Press 1 to load a temporary webserver.
    Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel):
  3. Enter your FQDN, such as company.domain.com.

    Four files should be generated:

    • cert.pem

    • chain.pem

    • fullchain.pem

    • privkey.pem

To import the certificate and private key into the FortiGate in the GUI:
  1. Go to System > Certificates. By default, the Certificates option is not visible, see Feature visibility for information.
  2. Click Import > Local Certificate.
  3. Set Type to Certificate.
  4. For Certificate File, upload the fullchain.pem file.
  5. For Key File, upload the privkey.pem file.
  6. Enter a password.
  7. Optionally, change the Certificate Name.

  8. Click OK.

Configure your FortiGate to use the signed certificate

After the signed certificates have been imported, you can use it when configuring SSL VPN and for administrator GUI access.

To configure your FortiGate to use the signed certificate for SSL VPN:
  1. Go to VPN > SSL-VPN Settings.
  2. Set Server Certificate to the new certificate.
  3. Configure other settings as needed.
  4. Click Apply.

For more information on configuring SSL VPN, see SSL VPN and the Setup SSL VPN video in the Fortinet Video Library.

To configure using the certificate for administrator GUI access in the CLI:
config system global
    set admin-server-cert fullchain
end
To change the certificate that is used for administrator GUI access in the GUI:
  1. Go to System > Settings.
  2. In the Administration Settings section, change HTTPS server certificate as needed.
  3. Click Apply. You will be logged out of FortiOS.

Related Videos

sidebar video

Setup SSL VPN: Tunnel & Web Modes

  • 17,599 views
  • 4 years ago

Provision a trusted certificate with Let's Encrypt

Provision a trusted certificate with Let's Encrypt

Let's Encrypt can be used to generate a free, trusted certificate that can be used by FortiGate to establish valid SSL connections that do not generate certificate warnings. See the Let's Encrypt documentation for more information and different methods of generating a trusted certificate.

Note

Let's Encrypt certificates have 90 day lifespans. They recommend replacing the certificate every 60 days.

The main requirements for using Let's Encrypt are:

  • An FQDN that is publicly resolvable to an IP address that you own.

  • Proof of ownership of the domain.

  • An application that uses Automatic Certificate Management Environment (ACME) to generate the certificate.

Tooltip

Fortinet has a dynamic DNS service that you can use if you do not have your own domain. See DDNS for more information.

This example uses Certbot to satisfy proof of ownership and generation of the certificate. It is an ACME client with a built-in, temporary webserver used for proof of domain ownership. Follow the instructions on the Certbot website to install the correct version in your Linux environment; this example uses Debian.

The Certbot application must be reachable by Let's Encrypt on TCP port 80 on the IP address that your FQDN resolves to.

Configure your FortiGate to reach the Linux environment

You can use a VIP to forward requests to your Linux environment on port 80. In this example, the Linux environment has the IP address 10.100.80.200.

To create a VIP to forward requests to your Linux environment on port 80 in the GUI:
  1. Go to Policy & Objects > Virtual IPs and click Create New > Virtual IP.
  2. Enter a name for the VIP and set the interface.
  3. Set the Mapped IP address/range to the IP address of the Linux environment, in this case 10.100.80.20.
  4. Enable Port Forwarding, set Protocol to TCP, and set External service port and Map to port to 80.

  5. Click OK.
To add the VIP to a policy to allow traffic to reach your Linux environment in the GUI:
  1. Go to Policy & Objects > IPv4 Policy and click Create New.
  2. Set Incoming Interface to the interface used in the VIP.
  3. Set Destination to the VIP, in this example: Linux VM.
  4. Configure the remaining settings as required.

  5. Click OK.
To create a VIP and add it to a policy in the CLI:
config firewall vip
    edit "Linux VM"
        set mappedip "10.100.80.200"
        set extintf "wan1"
        set portforward enable
        set extport 80
        set mappedport 80
    next
end
config firewall policy
    edit 2
        set name "To_Linux_VM"
        set srcintf "wan1"
        set dstintf "internal5"
        set srcaddr "all"
        set dstaddr "Linux VM"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end

Create and upload the certificate

To manually request a certificate:
  1. In the Linux command line enter:
    certbot certonly
    How would you like to authenticate with the ACME CA?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    1: Spin up a temporary webserver (standalone)
    2: Place files in webroot directory (webroot)
  2. Press 1 to load a temporary webserver.
    Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel):
  3. Enter your FQDN, such as company.domain.com.

    Four files should be generated:

    • cert.pem

    • chain.pem

    • fullchain.pem

    • privkey.pem

To import the certificate and private key into the FortiGate in the GUI:
  1. Go to System > Certificates. By default, the Certificates option is not visible, see Feature visibility for information.
  2. Click Import > Local Certificate.
  3. Set Type to Certificate.
  4. For Certificate File, upload the fullchain.pem file.
  5. For Key File, upload the privkey.pem file.
  6. Enter a password.
  7. Optionally, change the Certificate Name.

  8. Click OK.

Configure your FortiGate to use the signed certificate

After the signed certificates have been imported, you can use it when configuring SSL VPN and for administrator GUI access.

To configure your FortiGate to use the signed certificate for SSL VPN:
  1. Go to VPN > SSL-VPN Settings.
  2. Set Server Certificate to the new certificate.
  3. Configure other settings as needed.
  4. Click Apply.

For more information on configuring SSL VPN, see SSL VPN and the Setup SSL VPN video in the Fortinet Video Library.

To configure using the certificate for administrator GUI access in the CLI:
config system global
    set admin-server-cert fullchain
end
To change the certificate that is used for administrator GUI access in the GUI:
  1. Go to System > Settings.
  2. In the Administration Settings section, change HTTPS server certificate as needed.
  3. Click Apply. You will be logged out of FortiOS.