Uploading a certificate using the GUI

On the System > Certificates page, there are two options to add a certificate: Generate (use a certificate signing request) and Import.

Generate certificate signing request

Certificate signing requests (CSRs) are used to generate a certificate which is then signed by a CA to create a chain of trust. The CSR includes details of the FortiGate (see table below) and its public key. A CSR is not strictly necessary; some CAs allow you to provide the details of the FortiGate manually, but a CSR helps streamline the process. Selecting Generate takes you the Generate Certificate Signing Request page to enter the following information:

Certificate Name

Enter the certificate name; this is how it will appear in the Local Certificates list.

Subject Information

Specify an ID type: host IP address, domain name (FQDN), or email address.

Optional Information

Although listed as optional, we recommended entering the information for each field in this section.

If you are generating a CSR for a third-party CA, you need to insure that these values reflect those listed for your company or organization at said certificate authority. If you are generating a certificate for a Microsoft CA, you need to check with the administrator regarding these values.


Organization Unit

Enter the name of the organizational unit under which the certificate will be issued.



Enter the overall name of the organization.



Enter the city where the SSL certificate is located.


State / Province

Some issuers will reject a CSR that has an abbreviated state or province, so enter the full name of the state or province.


Country / Region

Enable the option and select the country from the dropdown.



Enter the email address of the technical contact for the SSL certificate that is being requested.


Subject Alternative Name

This field allows multiple domains to be used in an SSL certificate. Select from email addresses, IP addresses, URIs, DNS names, and so on.


Password for private key

If supplied, this is used as an encryption password for the private key file.


Key Type

Select RSA or Elliptic Curve.


Key Size

When Key Type is RSA, select 1024, 1536, 2048, or 4096 for bit-size/strength. We recommend using at least 2048 if your CA can issue certificates of that size.


Curve Name

When Key Type is Elliptic Curve, select the elliptic curve type: secp256r1, secp384r1, or secp521r1.


Enrollment Method

Select one of the following methods that determines how the CSR will be signed.

  • File Based: this will generate a certificate in the certificate menu under Local Certificate, which differs from the existing ones because it has no Subject, Comments, Issuer, or Expires values in the table. It will also show a Pending status because it is only a CSR at the moment and cannot function as a certificate just yet. You can download the CSR to provide to a CA for signing. If you open the CSR file, it should look similar to this:
    Next. the CSR file is supplied to a CA for signing and the returned file from the CA should be in .CER format. This file is then uploaded to the FortiGate by going to System > Certificates > Import > Local Certificate and uploading the CER file.
  • Online SCEP: the Simple Certificate Enrollment Protocol (SCEP) allows devices to enroll for a certificate by using a URL and a password. The SCEP server works as a proxy to forward the FortiGate’s request to the CA and returns the result to the FortiGate (setting up an SCEP server is beyond the scope of this topic). Once the request is approved by the SCEP server, the FortiGate will have a signed certificate containing the details provided in the CSR.


Although Import is often used in conjunction with a CSR, you may upload a certificate to the FortiGate that was generated on its own. This is typical of wildcard certificates (*.domain.tld) where the same certificate is used across multiple devices (FGT.domain.tld, FAZ.domain.tld, and so on), but may be used for individual certificates so long as the information provided to the signing CA matches that of the FortiGate.

When selecting Import, there are four options: Local Certificate, CA Certificate, Remote Certificate, and CRL.

Local certificate

Local certificates are used by the FortiGate to identify itself, or a service it provides, such as HTTPS administrative access, SSL VPN user portal, or virtual server load balancing where the FortiGate masquerades as the destination server. When selecting Local Certificate, four certificate type options appear in the Import Certificate pane:

Local Certificate

There is no field to upload a key with this option.

Use this option when you have created a CSR on the FortiGate, as the key is generated as part of the CSR process and remains on the FortiGate. You will need to upload a .CER file.

PKCS #12 Certificate

This option takes a specific certificate file type that contains the private key. The certificate will be encrypted and a password must be supplied with the certificate file.