A signed SSL certificate can be used when configuring SSL VPN, for administrator GUI access, and for other functions that require a certificate.
Before creating a certificate, you must have a registered domain. With a valid FortiGuard subscription, FortiDDNS can be used to register a domain; see DDNS for more information.
Follow these instructions to purchase, import, and use a signed SSL certificate:
- Obtain, setup, and download an SSL certificate package from a certificate authority
- Generate a CSR
- Import the signed certificate into your FortiGate
- Configure your FortiGate device to use the signed certificate
Let's Encrypt can be used to generate a free, trusted SSL certificate. See Provision a trusted certificate with Let's Encrypt for details.
A third party CA might not sign a certificate with an intranet name or IP address. For details, see Can I request a certificate for an intranet name or IP address?
The process for purchasing, setting up, and downloading a certificate will vary depending on the CA that is used, and if a CSR must be generated on the FortiGate.
To purchase a certificate package:
- Create an account with your chosen vendor, or use the account that you used to purchase your domain.
- Locate the SSL Certificates page.
- Purchase a basic SSL certificate for domain validation only. If required, a more secure SSL certificate can be purchased.
- If required, load the CSR, either by uploaded the text file or copying and pasting the contents into the requisite text box. See Generate a CSR for information on generating the CSR on the FortiGate.
- If required, set the server type to Other.
- Verify the certificate per the requirements of the CA.
- Download the signed certificate to your computer.
- Import the signed certificate into your FortiGate; see Import the signed certificate into your FortiGate.
Some CAs can auto-generate the CSR during the signing process, or provide tools for creating CSRs. If necessary, a CSR can be created in your FortiGate device’s GUI.
To generate a CSR on your FortiGate:
- Go to System > Certificates. By default, the Certificate option is not visible, see Feature visibility for information.
- Click Generate. The Generate Certificate Signing Request page opens.
- Configure the CSR request:
- Ensure that the certificate has a unique name.
- Set the ID Type to Domain Name and enter a Domain Name.
- An email address is required.
- Ensure that the Key Size is set to 2048 Bit.
- Set the Enrollment Method to File Based.
- Click OK.
The CSR will be added to the certificate list with a status of PENDING.
- In the certificate list, select the new CSR then click Download to save the CSR to your computer.
The CSR file can be opened in any text editor, and will resemble the following:
-----BEGIN CERTIFICATE REQUEST----- MIICuTCCAaECAQAwSzEcMBoGA1UEAxMTZm9ydGlzc2x2cG5kZW1vLmNvbTErMCkG CSqGSIb3DQEJARYcZm9ydGlzc2x2cG5kZW1vQGZvcnRpbmV0LmNvbTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMtnpNoR20NH2+UEX/NsyCmZhQqc4af3 Be1u9iOoNbo9Fk42gw47r71moAN+1jTL/Tcp3hRhXtpgoI7Zh3vjZnBbD2wwU8Ow U7d1h5MULyMehR9r4T6OAJl4KbKPt5u90r5SpIb6mM1OIKvzMncuRS66rW1St0KP mp/f6QjpjMrthnyJkCejgyTA1YwWNuT9BcO6PTkxBqVMLaRP6TUH6He9uhOx1Cj/ 5tzvSdAozZIr2moMieQy0lNd6oQcgpdzaB9QN41+cZOlUXRCMPoH7E4KUe3/Gnis +NMdQ8rIBijvWCXrKj20wb6sUEjAGJkcXlqVHWYCKWXl6Owejmc4ipkCAwEAAaAp MCcGCSqGSIb3DQEJDjEaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwDQYJKoZI hvcNAQELBQADggEBAJKhtz2BPIKeHH9HcJKnfBKL+a6vu1l+1sW+YqnyD+3oR9ec 0eCmLnPxyyxsVel/tRsUg4DTfmooLNDhOjgfMsWxAGUQgrDH2k87cw6kiDAPCqv1 b+hFPNKZQSd09+HXAvOpXrMlrw5YdSaoRnau6Q02yUIYennKTIzFIscgh1mk4FSe mb12DhPF+QydDCGDgtqnQbfxlDC0WmDcmxwa/0ZktoQhhhEbYgJ2O7l4TMqOxs/q AZgwJlSNGBALLA2AxkIRUMKUteDdXz0QE8xNrvZpLTbWCNIpYJdRRqSd5C1w2VF4 CFgugTjFaJ13kYmBimeMRQsFtjLV5AxN+bUUsnQ= -----END CERTIFICATE REQUEST-----
To import the signed certificate into your FortiGate:
- Unzip the file downloaded from the CA.
There should be two CRT files: a CA certificate with bundle in the file name, and a local certificate.
- Log in to your FortiGate unit and go to System > Certificates.
- Click Import > Local Certificate.
- Upload the local certificate file, then click OK.
- The status of the certificate will change from PENDING to OK.
- Click Import > CA Certificate.
- Set the Type to File, upload the CA certificate file, then click OK.
The CA certificate will be listed in the CA Certificates section of the certificates list.
After the signed certificates have been imported, you can use it when configuring SSL VPN, for administrator GUI access, and for other functions that require a certificate.
To configure your FortiGate to use the signed certificate for SSL VPN:
- Go to VPN > SSL-VPN Settings.
- Set Server Certificate to the new certificate.
- Configure other settings as needed.
- Click Apply.
To configure using the certificate for administrator GUI access in the CLI:
config system global set admin-server-cert fortisslvpndemo end
To change the certificate that is used for administrator GUI access in the GUI:
- Go to System > Settings.
- In the Administration Settings section, change HTTPS server certificate as needed.
- Click Apply. You will be logged out of FortiOS.