Fortinet black logo

Administration Guide

Import a certificate

You can upload a certificate to the FortiGate that was generated on its own. This is typical of wildcard certificates (*.domain.tld) where the same certificate is used across multiple devices (FGT.domain.tld, FAZ.domain.tld, and so on), but can also be used for individual certificates as long as the information provided to the signing CA matches that of the FortiGate.

Any certificate uploaded to a VDOM is only accessible to that VDOM. Any certificate uploaded to the Global VDOM is globally accessible by all VDOMs.

A signed certificate that is created using a CSR that was generated by the FortiGate does not include a private key, and can be imported to the FortiGate from a the management computer or a TFTP file server.

There are three options:

Local certificate

This option allows you to upload a single file and no key. Use it when you have created a CSR on the FortiGate (Generate a CSR), as the key is generated as part of the CSR process and remains on the FortiGate. You must upload a .CER file.

To import a local certificate in the GUI:
  1. Go to System > Certificates and select Create/Import > Certificate.

  2. Click Import Certificate.

  3. Set Type to Local Certificate.

  4. Click Upload, and locate the certificate on the management computer.

  5. Click Create, then click OK on the confirmation page.

To import a local certificate in the CLI:
execute vpn certificate local import tftp <filename> <tftp_IP> cer

PKCS #12 certificate

This option takes a specific certificate file type that contains the private key. The certificate is encrypted and a password must be supplied with the certificate file. PKCS #12 certificates are .PFX files.

To import a PKCS #12 certificate in the GUI:
  1. Go to System > Certificates and select Create/Import > Certificate.

  2. Click Import Certificate.

  3. Set Type to PKCS #12 Certificate.

  4. Click Upload, and locate the certificate on the management computer.

  5. Enter the password, then confirm the password.

  6. Optionally, customize the Certificate name.

  7. Click Create, then click OK on the confirmation page.

To import a PKCS #12 certificate in the CLI:
execute vpn certificate local import tftp <filename> <tftp_IP> p12 <password>

Certificate

This option is intended for certificates that were generated without using the FortiGate’s CSR. Because the certificate private key is being uploaded, a password is required. This option is similar to PKCS #12 certificate, but the certificate and key file are separate files, usually .CER and .PEM files.

To import a certificate in the GUI:
  1. Go to System > Certificates and select Create/Import > Certificate.

  2. Click Import Certificate.

  3. Set Type to Certificate.

  4. In the Certificate field, click Upload, and locate the certificate on the management computer.

  5. In the Key file field, click Upload, and locate the key file on the management computer.

  6. Enter the password, then confirm the password.

  7. Optionally, customize the Certificate name.

  8. Click Create, then click OK on the confirmation page.

To import a certificate that requires a private key to a VDOM, or when VDOMs are disabled:
config vpn certificate {local | ca | remote | ocsp-server | crl}

Refer to the FortiOS CLI Reference for detailed options for each certificate type (local, CA, remote, OSCP server, CRL).

To import a global certificate that requires a private key when VDOMs are enabled:
config certificate {local | ca | remote | crl}

This command is only available when VDOMs are enabled. For details, see the FortiOS CLI Reference.

You can upload a certificate to the FortiGate that was generated on its own. This is typical of wildcard certificates (*.domain.tld) where the same certificate is used across multiple devices (FGT.domain.tld, FAZ.domain.tld, and so on), but can also be used for individual certificates as long as the information provided to the signing CA matches that of the FortiGate.

Any certificate uploaded to a VDOM is only accessible to that VDOM. Any certificate uploaded to the Global VDOM is globally accessible by all VDOMs.

A signed certificate that is created using a CSR that was generated by the FortiGate does not include a private key, and can be imported to the FortiGate from a the management computer or a TFTP file server.

There are three options:

Local certificate

This option allows you to upload a single file and no key. Use it when you have created a CSR on the FortiGate (Generate a CSR), as the key is generated as part of the CSR process and remains on the FortiGate. You must upload a .CER file.

To import a local certificate in the GUI:
  1. Go to System > Certificates and select Create/Import > Certificate.

  2. Click Import Certificate.

  3. Set Type to Local Certificate.

  4. Click Upload, and locate the certificate on the management computer.

  5. Click Create, then click OK on the confirmation page.

To import a local certificate in the CLI:
execute vpn certificate local import tftp <filename> <tftp_IP> cer

PKCS #12 certificate

This option takes a specific certificate file type that contains the private key. The certificate is encrypted and a password must be supplied with the certificate file. PKCS #12 certificates are .PFX files.

To import a PKCS #12 certificate in the GUI:
  1. Go to System > Certificates and select Create/Import > Certificate.

  2. Click Import Certificate.

  3. Set Type to PKCS #12 Certificate.

  4. Click Upload, and locate the certificate on the management computer.

  5. Enter the password, then confirm the password.

  6. Optionally, customize the Certificate name.

  7. Click Create, then click OK on the confirmation page.

To import a PKCS #12 certificate in the CLI:
execute vpn certificate local import tftp <filename> <tftp_IP> p12 <password>

Certificate

This option is intended for certificates that were generated without using the FortiGate’s CSR. Because the certificate private key is being uploaded, a password is required. This option is similar to PKCS #12 certificate, but the certificate and key file are separate files, usually .CER and .PEM files.

To import a certificate in the GUI:
  1. Go to System > Certificates and select Create/Import > Certificate.

  2. Click Import Certificate.

  3. Set Type to Certificate.

  4. In the Certificate field, click Upload, and locate the certificate on the management computer.

  5. In the Key file field, click Upload, and locate the key file on the management computer.

  6. Enter the password, then confirm the password.

  7. Optionally, customize the Certificate name.

  8. Click Create, then click OK on the confirmation page.

To import a certificate that requires a private key to a VDOM, or when VDOMs are disabled:
config vpn certificate {local | ca | remote | ocsp-server | crl}

Refer to the FortiOS CLI Reference for detailed options for each certificate type (local, CA, remote, OSCP server, CRL).

To import a global certificate that requires a private key when VDOMs are enabled:
config certificate {local | ca | remote | crl}

This command is only available when VDOMs are enabled. For details, see the FortiOS CLI Reference.