Let's Encrypt can be used to generate a free, trusted certificate that can be used by FortiGate to establish valid SSL connections that do not generate certificate warnings. See the Let's Encrypt documentation for more information and different methods of generating a trusted certificate.
Let's Encrypt certificates have 90 day lifespans. They recommend replacing the certificate every 60 days.
The main requirements for using Let's Encrypt are:
An FQDN that is publicly resolvable to an IP address that you own.
Proof of ownership of the domain.
An application that uses Automatic Certificate Management Environment (ACME) to generate the certificate.
Fortinet has a dynamic DNS service that you can use if you do not have your own domain. See DDNS for more information.
This example uses Certbot to satisfy proof of ownership and generation of the certificate. It is an ACME client with a built-in, temporary webserver used for proof of domain ownership. Follow the instructions on the Certbot website to install the correct version in your Linux environment; this example uses Debian.
The Certbot application must be reachable by Let's Encrypt on TCP port 80 on the IP address that your FQDN resolves to.
You can use a VIP to forward requests to your Linux environment on port 80. In this example, the Linux environment has the IP address 10.100.80.200.
Go to Policy & Objects > Virtual IPs and click Create New > Virtual IP.
Enter a name for the VIP and set the interface.
Set the Mapped IP address/range to the IP address of the Linux environment, in this case 10.100.80.20.
Enable Port Forwarding, set Protocol to TCP, and set External service port and Map to port to 80.
- Go to Policy & Objects > Firewall Policy and click Create New.
- Set Incoming Interface to the interface used in the VIP.
- Set Destination to the VIP, in this example: Linux VM.
- Configure the remaining settings as required.
- Click OK.
config firewall vip edit "Linux VM" set mappedip "10.100.80.200" set extintf "wan1" set portforward enable set extport 80 set mappedport 80 next end
config firewall policy edit 2 set name "To_Linux_VM" set srcintf "wan1" set dstintf "internal5" set srcaddr "all" set dstaddr "Linux VM" set action accept set schedule "always" set service "ALL" set logtraffic all set nat enable next end
In the Linux command line enter:
How would you like to authenticate with the ACME CA? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Spin up a temporary webserver (standalone) 2: Place files in webroot directory (webroot)
1to load a temporary webserver.
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):
Enter your FQDN, such as
Four files should be generated:
- Go to System > Certificates. By default, the Certificates option is not visible, see Feature visibility for information.
- Click Import > Local Certificate.
- Set Type to Certificate.
- For Certificate File, upload the fullchain.pem file.
- For Key File, upload the privkey.pem file.
- Enter a password.
- Optionally, change the Certificate Name.
- Click OK.
After the signed certificates have been imported, you can use it when configuring SSL VPN, for administrator GUI access, and for other functions that require a certificate.
- Go to VPN > SSL-VPN Settings.
- Set Server Certificate to the new certificate.
- Configure other settings as needed.
- Click Apply.
config system global set admin-server-cert fullchain end
- Go to System > Settings.
- In the Administration Settings section, change HTTPS server certificate as needed.
- Click Apply. You will be logged out of FortiOS.