ACME certificate support

The Automated Certificate Management Environment (ACME), as defined in RFC 8555, is used by the public Let's Encrypt certificate authority (https://letsencrypt.org) to provide free SSL server certificates. The FortiGate can be configured to use certificates that are manged by Let's Encrypt, and other certificate management services, that use the ACME protocol. The server certificates can be used for secure administrator log in to the FortiGate.

  • The FortiGate must have a public IP address and a hostname in DNS (FQDN) that resolves to the public IP address.

  • The configured ACME interface must be public facing so that the FortiGate can listen for ACME update requests. It must not have any VIPs, or port forwarding on port 80 (HTTP) or 443 (HTTPS).

  • The Subject Alternative Name (SAN) field is automatically filled with the FortiGate DNS hostname. It cannot be edited, wildcards cannot be used, and multiple SANs cannot be added.

This example shows how to import an ACME certificate from Let's Encrypt, and use it for secured remote administrator access to the FortiGate.

Note

To configure certificates in the GUI, go to System > Feature Visibility and enable Certificates.

To import an ACME certificate in the GUI:
  1. Go to System > Certificates and click Import > Local Certificate.

  2. Set Type to Automated.

  3. Set Certificate name to an appropriate name for the certificate.

  4. Set Domain to the public FQDN of the FortiGate.

  5. Set Email to a valid email address. The email is not used during the enrollment process.

  6. Ensure that ACME service is set to Let's Encrypt.