Provision a trusted certificate with Let's Encrypt
Let's Encrypt can be used to generate a free, trusted certificate that can be used by FortiGate to establish valid SSL connections that do not generate certificate warnings. See the Let's Encrypt documentation for more information and different methods of generating a trusted certificate.
Let's Encrypt certificates have 90 day lifespans. They recommend replacing the certificate every 60 days.
The main requirements for using Let's Encrypt are:
An FQDN that is publicly resolvable to an IP address that you own.
Proof of ownership of the domain.
An application that uses Automatic Certificate Management Environment (ACME) to generate the certificate.
Fortinet has a dynamic DNS service that you can use if you do not have your own domain. See DDNS for more information.
This example uses Certbot to satisfy proof of ownership and generation of the certificate. It is an ACME client with a built-in, temporary webserver used for proof of domain ownership. Follow the instructions on the Certbot website to install the correct version in your Linux environment; this example uses Debian.
The Certbot application must be reachable by Let's Encrypt on TCP port 80 on the IP address that your FQDN resolves to.
Configure your FortiGate to reach the Linux environment
You can use a VIP to forward requests to your Linux environment on port 80. In this example, the Linux environment has the IP address 10.100.80.200.
To create a VIP to forward requests to your Linux environment on port 80 in the GUI:
- Go to Policy & Objects > Virtual IPs and click Create New > Virtual IP.
- Enter a name for the VIP and set the interface.
- Set the Mapped IP address/range to the IP address of the Linux environment, in this case 10.100.80.20.
- Enable Port Forwarding, set Protocol to TCP, and set External service port and Map to port to 80.
- Click OK.
To add the VIP to a policy to allow traffic to reach your Linux environment in the GUI:
- Go to Policy & Objects > IPv4 Policy and click Create New.
- Set Incoming Interface to the interface used in the VIP.
- Set Destination to the VIP, in this example: Linux VM.
- Configure the remaining settings as required.
- Click OK.
To create a VIP and add it to a policy in the CLI:
config firewall vip edit "Linux VM" set mappedip "10.100.80.200" set extintf "wan1" set portforward enable set extport 80 set mappedport 80 next end
config firewall policy edit 2 set name "To_Linux_VM" set srcintf "wan1" set dstintf "internal5" set srcaddr "all" set dstaddr "Linux VM" set action accept set schedule "always" set service "ALL" set logtraffic all set nat enable next end
Create and upload the certificate
To manually request a certificate:
- In the Linux command line enter:
How would you like to authenticate with the ACME CA? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Spin up a temporary webserver (standalone) 2: Place files in webroot directory (webroot)
1to load a temporary webserver.
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):
- Enter your FQDN, such as
Four files should be generated:
To import the certificate and private key into the FortiGate in the GUI:
- Go to System > Certificates. By default, the Certificates option is not visible, see Feature visibility for information.
- Click Import > Local Certificate.
- Set Type to Certificate.
- For Certificate File, upload the fullchain.pem file.
- For Key File, upload the privkey.pem file.
- Enter a password.
- Optionally, change the Certificate Name.
- Click OK.
Configure your FortiGate to use the signed certificate
After the signed certificates have been imported, you can use it when configuring SSL VPN and for administrator GUI access.
To configure your FortiGate to use the signed certificate for SSL VPN:
- Go to VPN > SSL-VPN Settings.
- Set Server Certificate to the new certificate.
- Configure other settings as needed.
- Click Apply.
For more information on configuring SSL VPN, see SSL VPN and the Setup SSL VPN video in the Fortinet Video Library.
To configure using the certificate for administrator GUI access in the CLI:
config system global set admin-server-cert fullchain end
To change the certificate that is used for administrator GUI access in the GUI:
- Go to System > Settings.
- In the Administration Settings section, change HTTPS server certificate as needed.
- Click Apply. You will be logged out of FortiOS.