Import a local certificate
Local certificates are issued for a specific server, or web site. Generally they are very specific, and often for an internal enterprise network. For example, a personal web site for John Smith at www.example.com (such as http://www.example.com/home/jsmith) would have its own local certificate.
These can optionally be just the certificate file or also include a private key file and PEM passphrase for added security.
Signed local certificates can be imported to the FortiProxy unit.
To import a local certificate:
-
Go to System > Certificates and click Create/Import > Certificate. The Import Certificate page opens.
-
Select the Type:
-
If the Type is Local Certificate, select Upload and locate the certificate file on your computer.
-
If the Type is PKCS #12 Certificate, select Upload and locate the certificate with key file on your computer. Select Change to enter the password in the Password field.
-
If the Type is Certificate, select Upload and locate the certificate file on your computer. Select Upload and locate the key file on your computer. Select Change to enter the password in the Password field.
-
-
Click OK to import the certificate.
ACME certificate support
The Automated Certificate Management Environment (ACME), as defined in RFC 8555, is used by the public Let's Encrypt certificate authority (https://letsencrypt.org) to provide free SSL server certificates. The FortiProxy unit can be configured to use certificates that are manged by Let's Encrypt, and other certificate management services, that use the ACME protocol. The server certificates can be used for secure administrator log in to the FortiProxy unit.
-
The FortiProxy unit must have a public IP address and a hostname in DNS (FQDN) that resolves to the public IP address.
-
The configured ACME interface must be public facing so that the FortiProxy unit can listen for ACME update requests. It must not have any VIPs, or port forwarding on port 80 (HTTP) or 443 (HTTPS).
-
The Subject Alternative Name (SAN) field is automatically filled with the FortiProxy DNS hostname. It cannot be edited, wildcards cannot be used, and multiple SANs cannot be added.
NOTE: To configure certificates in the GUI, go to System > Feature Visibility and enable Certificates.
To import an ACME certificate in the GUI:
-
Go to System > Certificates and click Create/Import > Certificate.
-
Set Type to Automated.
-
Set Certificate name to an appropriate name for the certificate.
-
Set Domain to the public FQDN of the FortiProxy unit.
-
Set Email to a valid email address. The email is not used during the enrollment process.
-
Ensure that ACME service is set to Let's Encrypt.
-
Configure the remaining settings as required and then click OK.
-
If this is the first time enrolling a server certificate with Let's Encrypt on this FortiProxy unit, the Set ACME Interface pane opens. Select the interface that the FortiProxy unit communicates with Let's Encrypt on and then click OK.
The ACME interface can later be changed in System > Settings.
-
Select the new server certificate in the Local Certificate list and then click View Details to verify that the FortiProxy unit's FQDN is in the certificate's Subject: Common Name (CN).
The Remote CA Certificate list includes the issuing Let's Encrypt intermediate CA, issued by the public CA DST Root CA X3 from Digital Signature Trust Company.
To exchange the default FortiProxy administration server certificate for the new public Let's Encrypt server certificate in the GUI:
-
Go to System > Settings.
-
Set the HTTPS server certificate to the new certificate.
-
Click Apply.
-
Log in to the FortiProxy unit using an administrator account from any Internet browser. There should be no warnings related to nontrusted certificates, and the certificate path should be valid.
To import an ACME certificate in the CLI:
-
Set the interface that the FortiProxy unit communicates with Let's Encrypt on:
config system acme
set interface port1
end
-
Make sure that the FortiProxy unit can contact the Let's Encrypt enrollment server:
FortiProxy-400E # execute ping acme-v02.api.letsencrypt.org PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248): 56 data bytes 64 bytes from 172.65.32.248: icmp_seq=0 ttl=56 time=4.8 ms 64 bytes from 172.65.32.248: icmp_seq=1 ttl=56 time=4.5 ms 64 bytes from 172.65.32.248: icmp_seq=2 ttl=56 time=4.5 ms 64 bytes from 172.65.32.248: icmp_seq=3 ttl=56 time=4.5 ms 64 bytes from 172.65.32.248: icmp_seq=4 ttl=56 time=4.5 ms --- ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 4.5/4.5/4.8 ms
-
Configure the local certificate request:
config vpn certificate local
edit "acme-test"
set enroll-protocol acme2
set acme-domain "test.ftntlab.de"
set acme-email "techdoc@fortinet.com"
next
By enabling this feature you declare that you agree to the Terms of Service at
https://acme-v02.api.letsencrypt.org/directory
Do you want to continue? (y/n)y
end
-
Verify that the enrollment was successful:
# get vpn certificate local details acme-test
To exchange the default FortiProxy administration server certificate for the new public Let's Encrypt server certificate in the CLI:
config system global
set admin-server-cert "acme-test"
end
When you log in to the FortiProxy unit using an administrator account, there should be no warnings related to nontrusted certificates, and the certificate path should be valid.