Fortinet black logo

Administration Guide

ACME certificate support

ACME certificate support

The Automated Certificate Management Environment (ACME), as defined in RFC 8555, is used by the public Let's Encrypt certificate authority (https://letsencrypt.org) to provide free SSL server certificates. The FortiGate can be configured to use certificates that are managed by Let's Encrypt, and other certificate management services, that use the ACME protocol. The server certificates can be used for secure administrator log in to the FortiGate.

Note

ACME certificates do not support loopback interfaces.

  • The FortiGate must have a public IP address and a hostname in DNS (FQDN) that resolves to the public IP address.

  • The configured ACME interface must be public facing so that the FortiGate can listen for ACME update requests. It must not have any VIPs, or port forwarding on port 80 (HTTP) or 443 (HTTPS).

  • The Subject Alternative Name (SAN) field is automatically filled with the FortiGate DNS hostname. It cannot be edited, wildcards cannot be used, and multiple SANs cannot be added.

This example shows how to import an ACME certificate from Let's Encrypt, and use it for secured remote administrator access to the FortiGate.

Note

To configure certificates in the GUI, go to System > Feature Visibility and enable Certificates.

To import an ACME certificate in the GUI:
  1. Go to System > Certificates and click Import > Local Certificate.

  2. Set Type to Automated.

  3. Set Certificate name to an appropriate name for the certificate.

  4. Set Domain to the public FQDN of the FortiGate.

  5. Set Email to a valid email address. The email is not used during the enrollment process.

  6. Ensure that ACME service is set to Let's Encrypt.

  7. Configure the remaining settings as required, the click OK.

  8. If this is the first time enrolling a server certificate with Let's Encrypt on this FortiGate, the Set ACME Interface pane opens.

    Select the interface that the FortiGate communicates with Let's Encrypt on, then click OK.

    The ACME interface can later be changed in System > Settings.

  9. The new server certificate is added to the Local Certificate list.

    Click View Details to verify that the FortiGate's FQDN is in the certificate's Subject: Common Name (CN).

    The Remote CA Certificate list includes the issuing Let's Encrypt intermediate CA, issued by the public CA ISRG Root X1 from Digital Signature Trust Company.

To exchange the default FortiGate administration server certificate for the new public Let's Encrypt server certificate in the GUI:
  1. Go to System > Settings.

  2. Set HTTPS server certificate to the new certificate.

  3. Click Apply.

  4. Log in to the FortiGate using an administrator account from any internet browser. There should be no warnings related to non-trusted certificates, and the certificate path should be valid.

To import an ACME certificate in the CLI:
  1. Set the interface that the FortiGate communicates with Let's Encrypt on:

    config system acme
        set interface "port1"
    end
  2. Make sure that the FortiGate can contact the Let's Encrypt enrollment server:

    # execute ping acme-v02.api.letsencrypt.org
    PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248): 56 data bytes
    64 bytes from 172.65.32.248: icmp_seq=0 ttl=60 time=2.0 ms
    64 bytes from 172.65.32.248: icmp_seq=1 ttl=60 time=1.7 ms
    64 bytes from 172.65.32.248: icmp_seq=2 ttl=60 time=1.7 ms
    64 bytes from 172.65.32.248: icmp_seq=3 ttl=60 time=2.1 ms
    64 bytes from 172.65.32.248: icmp_seq=4 ttl=60 time=2.0 ms
    
    --- ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com ping statistics ---
    5 packets transmitted, 5 packets received, 0% packet loss
    round-trip min/avg/max = 1.7/1.9/2.1 ms
  3. Configure the local certificate request:

    config vpn certificate local
        edit "acme-test"
            set enroll-protocol acme2
            set acme-domain "test.ftntlab.de"
            set acme-email "techdoc@fortinet.com"
        next
    By enabling this feature you declare that you agree to the Terms of Service at https://acme-v02.api.letsencrypt.org/directory
    Do you want to continue? (y/n)y
    end
  4. Verify that the enrollment was successful:

    # get vpn certificate local details acme-test
    path=vpn.certificate, objname=local, tablename=(null), size=2632
    == [ acme-test ]
            Name:        acme-test
            Subject:     CN = test.ftntlab.de
            Issuer:      C = US, O = Let's Encrypt, CN = R3
            Valid from:  2021-03-11 17:43:04  GMT
            Valid to:    2021-06-09 17:43:04  GMT
            Fingerprint: 9A:03:0F:41:29:D7:01:45:04:F3:16:C0:BD:63:A2:DB
            Serial Num:  03:d3:55:80:d2:e9:01:b4:ca:80:3f:2e:fc:24:65:ad:7c:0c
    ACME details:
            Status: The certificate for the managed domain has been renewed successfully and can be used (valid since Thu, 11 Mar 2021 17:43:04 GMT).
            Staging status: Nothing in staging
  5. Check the ACME client full status log for the CN domain:

    # diagnose sys acme status-full test.ftntlab.de 
    {
      "name": "test.ftntlab.de",
      "finished": true,
      "notified": false,
      "last-run": "Thu, 11 Mar 2021 18:43:02 GMT",
      "valid-from": "Thu, 11 Mar 2021 17:43:04 GMT",
      "errors": 0,
      "last": {
        "status": 0,
        "detail": "The certificate for the managed domain has been renewed successfully and can be used (valid since Thu, 11 Mar 2021 17:43:04 GMT). A graceful server restart now is recommended.",
        "valid-from": "Thu, 11 Mar 2021 17:43:04 GMT"
      },
      "log": {
        "entries": [
          {
            "when": "Thu, 11 Mar 2021 18:43:05 GMT",
            "type": "message-renewed"
          },
          ...
          {
            "when": "Thu, 11 Mar 2021 18:43:02 GMT",
            "type": "starting"
          }
        ]
      }
    }
To exchange the default FortiGate administration server certificate for the new public Let's Encrypt server certificate in the CLI:
config system global
    set admin-server-cert "acme-test"
end

When you log in to the FortiGate using an administrator account there should be no warnings related to non-trusted certificates, and the certificate path should be valid.

ACME certificate support

The Automated Certificate Management Environment (ACME), as defined in RFC 8555, is used by the public Let's Encrypt certificate authority (https://letsencrypt.org) to provide free SSL server certificates. The FortiGate can be configured to use certificates that are managed by Let's Encrypt, and other certificate management services, that use the ACME protocol. The server certificates can be used for secure administrator log in to the FortiGate.

Note

ACME certificates do not support loopback interfaces.

  • The FortiGate must have a public IP address and a hostname in DNS (FQDN) that resolves to the public IP address.

  • The configured ACME interface must be public facing so that the FortiGate can listen for ACME update requests. It must not have any VIPs, or port forwarding on port 80 (HTTP) or 443 (HTTPS).

  • The Subject Alternative Name (SAN) field is automatically filled with the FortiGate DNS hostname. It cannot be edited, wildcards cannot be used, and multiple SANs cannot be added.

This example shows how to import an ACME certificate from Let's Encrypt, and use it for secured remote administrator access to the FortiGate.

Note

To configure certificates in the GUI, go to System > Feature Visibility and enable Certificates.

To import an ACME certificate in the GUI:
  1. Go to System > Certificates and click Import > Local Certificate.

  2. Set Type to Automated.

  3. Set Certificate name to an appropriate name for the certificate.

  4. Set Domain to the public FQDN of the FortiGate.

  5. Set Email to a valid email address. The email is not used during the enrollment process.

  6. Ensure that ACME service is set to Let's Encrypt.

  7. Configure the remaining settings as required, the click OK.

  8. If this is the first time enrolling a server certificate with Let's Encrypt on this FortiGate, the Set ACME Interface pane opens.

    Select the interface that the FortiGate communicates with Let's Encrypt on, then click OK.

    The ACME interface can later be changed in System > Settings.

  9. The new server certificate is added to the Local Certificate list.

    Click View Details to verify that the FortiGate's FQDN is in the certificate's Subject: Common Name (CN).

    The Remote CA Certificate list includes the issuing Let's Encrypt intermediate CA, issued by the public CA ISRG Root X1 from Digital Signature Trust Company.

To exchange the default FortiGate administration server certificate for the new public Let's Encrypt server certificate in the GUI:
  1. Go to System > Settings.

  2. Set HTTPS server certificate to the new certificate.

  3. Click Apply.

  4. Log in to the FortiGate using an administrator account from any internet browser. There should be no warnings related to non-trusted certificates, and the certificate path should be valid.

To import an ACME certificate in the CLI:
  1. Set the interface that the FortiGate communicates with Let's Encrypt on:

    config system acme
        set interface "port1"
    end
  2. Make sure that the FortiGate can contact the Let's Encrypt enrollment server:

    # execute ping acme-v02.api.letsencrypt.org
    PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248): 56 data bytes
    64 bytes from 172.65.32.248: icmp_seq=0 ttl=60 time=2.0 ms
    64 bytes from 172.65.32.248: icmp_seq=1 ttl=60 time=1.7 ms
    64 bytes from 172.65.32.248: icmp_seq=2 ttl=60 time=1.7 ms
    64 bytes from 172.65.32.248: icmp_seq=3 ttl=60 time=2.1 ms
    64 bytes from 172.65.32.248: icmp_seq=4 ttl=60 time=2.0 ms
    
    --- ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com ping statistics ---
    5 packets transmitted, 5 packets received, 0% packet loss
    round-trip min/avg/max = 1.7/1.9/2.1 ms
  3. Configure the local certificate request:

    config vpn certificate local
        edit "acme-test"
            set enroll-protocol acme2
            set acme-domain "test.ftntlab.de"
            set acme-email "techdoc@fortinet.com"
        next
    By enabling this feature you declare that you agree to the Terms of Service at https://acme-v02.api.letsencrypt.org/directory
    Do you want to continue? (y/n)y
    end
  4. Verify that the enrollment was successful:

    # get vpn certificate local details acme-test
    path=vpn.certificate, objname=local, tablename=(null), size=2632
    == [ acme-test ]
            Name:        acme-test
            Subject:     CN = test.ftntlab.de
            Issuer:      C = US, O = Let's Encrypt, CN = R3
            Valid from:  2021-03-11 17:43:04  GMT
            Valid to:    2021-06-09 17:43:04  GMT
            Fingerprint: 9A:03:0F:41:29:D7:01:45:04:F3:16:C0:BD:63:A2:DB
            Serial Num:  03:d3:55:80:d2:e9:01:b4:ca:80:3f:2e:fc:24:65:ad:7c:0c
    ACME details:
            Status: The certificate for the managed domain has been renewed successfully and can be used (valid since Thu, 11 Mar 2021 17:43:04 GMT).
            Staging status: Nothing in staging
  5. Check the ACME client full status log for the CN domain:

    # diagnose sys acme status-full test.ftntlab.de 
    {
      "name": "test.ftntlab.de",
      "finished": true,
      "notified": false,
      "last-run": "Thu, 11 Mar 2021 18:43:02 GMT",
      "valid-from": "Thu, 11 Mar 2021 17:43:04 GMT",
      "errors": 0,
      "last": {
        "status": 0,
        "detail": "The certificate for the managed domain has been renewed successfully and can be used (valid since Thu, 11 Mar 2021 17:43:04 GMT). A graceful server restart now is recommended.",
        "valid-from": "Thu, 11 Mar 2021 17:43:04 GMT"
      },
      "log": {
        "entries": [
          {
            "when": "Thu, 11 Mar 2021 18:43:05 GMT",
            "type": "message-renewed"
          },
          ...
          {
            "when": "Thu, 11 Mar 2021 18:43:02 GMT",
            "type": "starting"
          }
        ]
      }
    }
To exchange the default FortiGate administration server certificate for the new public Let's Encrypt server certificate in the CLI:
config system global
    set admin-server-cert "acme-test"
end

When you log in to the FortiGate using an administrator account there should be no warnings related to non-trusted certificates, and the certificate path should be valid.