Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSwitch 7.2.7 Administration Guide
    7.2.7
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.11
    6.4.6
    6.4.5
    6.4.3
    6.4.2
    6.4.0
    6.2.5
    6.2.2
    6.2.1
    6.2.0

    Local

    Local

    Use the Local Certificates page to import or generate a local certificate.

    Importing a local certificate

    There are three options for importing a local certificate in the GUI:

    • Local certificate

      This option allows you to upload a single file and no key. You must upload a .CER file.

    • PKCS12 certificate

      This option takes a specific certificate file type that contains the private key. The certificate is encrypted and a password must be supplied with the certificate file. PKCS #12 certificates are .PFX files. The following sizes are supported: 1024, 2048, and 4096 bits.

    • Certificate

      This option is similar to PKCS #12 certificate, but the certificate and key file are separate files, usually .CER and .PEM files.

    tooltip icon You cannot import a PKCS12 certificate if the password is missing. To work around this issue, extract the certificate and key from the .p12 file and then use the GUI to import the certificate and key.

    In the CLI, you can import a local certificate from a TFTP server using an IPv4 or IPv6 address or fully qualified domain name.

    You can also generate a Rivest–Shamir–Adleman (RSA) certificate or elliptic curve (ECDSA) certificate using a certificate signing request (CSR).

    Import a local certificate using the GUI:

    1. Go to System > Certificate > Local.

    2. Click Import.

    3. Select the type of certificate that you want to import: Local Certificate, PKCS12 Certificate, or Certificate.

    4. In the Certificate File field, click Choose File and browse to your certificate file.

    5. If you selected Certificate, click Choose File and browse to your key file.

    6. If you selected PKCS12 Certificate or Certificate, enter a password in the Password field.

    7. Click Import.

    Import a local certificate using the CLI:

    execute system certificate local import tftp <local_certificate_file_name> <TFTP_server_IPv4_IPv6_FQDN> <cer | p12> [password_for_PKCS12_file]

    For example:

    execute system certificate local import tftp p12certificate.p12 10.105.17.77 p12 mypassword

    Importing a PKCS12 certificate without a password ("")

    Because the default algorithm for certificate encryption has changed, there is a different procedure for generating a PKCS12 certificate if you are running OpenSSL 1.x.x.

    To generate and import the PKCS12 certificate if you are running OpenSSL 1.x.x:

    1. Generate the PKCS12 certificate.

    2. Run this command:

      openssl pkcs12 -in <PKCS12_certificate>.p12 -out <PKCS12_certificate>.pem

    3. Run this command:

      openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in <PKCS12_certificate>.pem -out <new_PKCS12_certificate>.p12

    4. Use the CLI or GUI to import <new_PKCS12_certificate>.p12 into FortiSwitchOS.

    Generating a local certificate

    Generate a local certificate using the GUI:

    1. Go to System > Certificate > Local.

    2. Click Generate.

    3. In the Certificate Name field, enter the certificate name, which will appear in the Local Certificates table.

    4. In the Key Type dropdown list, select RSA or Elliptic Curve.

    5. If you selected RSA for the key type, select 1024 Bit, 1536 Bit, 2048 Bit, or 4096 Bit from the Key Size dropdown list.

    6. If you selected Elliptic Curve for the key type, select SECP256R1, SECP384R1, or SECP521R1 from the Curve Name dropdown list.

    7. From the ID Type dropdown list, select Host IP, Domain Name, or Email.

    8. In the IP, Domain Name, or Email field, enter the IP address, domain name, or email address.

    9. In the Country/Region dropdown list, select the country or region where the FortiSwitch unit is located.

    10. In the State/Province field, enter the state or province where the FortiSwitch unit is located.

    11. In the Locality (City) field, enter the city where the FortiSwitch unit is located.

    12. In the Organization Name field, enter the name of your organization.

    13. In the Organization Unit field, enter the business unit.

    14. In the Email field, enter your email address.

    15. In the Subject Alternative Name field, enter multiple domains to be used in an SSL certificate.

    16. Under Enrollment Method, select File-Based or Online SCEP.

    17. If you selected Online SCEP, enter the CA server URL and challenge password.

    18. Click Add.

    Generate an elliptic curve local certificate using the CLI:

    execute system certificate local generate ec <local_certificate_name> {secp256r1 | secp384r1 | secp521r1} <IP_address_domain_name_email> <country> <state> <city> <organization> <business_unit> <email> [<subject alternative name>] [<URL_of_CA_server>] [<challenge_password>] [<source_IP_address>] [<CA_identifier_of_CA_server>] [<password_for_private_key>

    For example:

    execute system certificate local generate ec localcertificate secp256r1 1.2.3.4 northamerica CA Sunnyvale Fortinet "R&D" "admin@fortinet.com"

    Generate an RSA local certificate using the CLI:

    execute system certificate local generate rsa <local_certificate_name> {1024 | 1536 | 2048 | 4096} <IP_address_domain_name_email> <country> <state> <city> <organization> <business_unit> <email> [<subject alternative name>] [<URL_of_CA_server>] [<challenge_password>] [<source_IP_address>] [<CA_identifier_of_CA_server>] [<password_for_private_key>]

    For example:

    execute system certificate local generate rsa localcertificate 1024 1.2.3.4 northamerica CA Sunnyvale Fortinet "R&D" "admin@fortinet.com"

    Previous
    Next

    Local

    Local

    Use the Local Certificates page to import or generate a local certificate.

    Importing a local certificate

    There are three options for importing a local certificate in the GUI:

    • Local certificate

      This option allows you to upload a single file and no key. You must upload a .CER file.

    • PKCS12 certificate

      This option takes a specific certificate file type that contains the private key. The certificate is encrypted and a password must be supplied with the certificate file. PKCS #12 certificates are .PFX files. The following sizes are supported: 1024, 2048, and 4096 bits.

    • Certificate

      This option is similar to PKCS #12 certificate, but the certificate and key file are separate files, usually .CER and .PEM files.

    tooltip icon You cannot import a PKCS12 certificate if the password is missing. To work around this issue, extract the certificate and key from the .p12 file and then use the GUI to import the certificate and key.

    In the CLI, you can import a local certificate from a TFTP server using an IPv4 or IPv6 address or fully qualified domain name.

    You can also generate a Rivest–Shamir–Adleman (RSA) certificate or elliptic curve (ECDSA) certificate using a certificate signing request (CSR).

    Import a local certificate using the GUI:

    1. Go to System > Certificate > Local.

    2. Click Import.

    3. Select the type of certificate that you want to import: Local Certificate, PKCS12 Certificate, or Certificate.

    4. In the Certificate File field, click Choose File and browse to your certificate file.

    5. If you selected Certificate, click Choose File and browse to your key file.

    6. If you selected PKCS12 Certificate or Certificate, enter a password in the Password field.

    7. Click Import.

    Import a local certificate using the CLI:

    execute system certificate local import tftp <local_certificate_file_name> <TFTP_server_IPv4_IPv6_FQDN> <cer | p12> [password_for_PKCS12_file]

    For example:

    execute system certificate local import tftp p12certificate.p12 10.105.17.77 p12 mypassword

    Importing a PKCS12 certificate without a password ("")

    Because the default algorithm for certificate encryption has changed, there is a different procedure for generating a PKCS12 certificate if you are running OpenSSL 1.x.x.

    To generate and import the PKCS12 certificate if you are running OpenSSL 1.x.x:

    1. Generate the PKCS12 certificate.

    2. Run this command:

      openssl pkcs12 -in <PKCS12_certificate>.p12 -out <PKCS12_certificate>.pem

    3. Run this command:

      openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in <PKCS12_certificate>.pem -out <new_PKCS12_certificate>.p12

    4. Use the CLI or GUI to import <new_PKCS12_certificate>.p12 into FortiSwitchOS.

    Generating a local certificate

    Generate a local certificate using the GUI:

    1. Go to System > Certificate > Local.

    2. Click Generate.

    3. In the Certificate Name field, enter the certificate name, which will appear in the Local Certificates table.

    4. In the Key Type dropdown list, select RSA or Elliptic Curve.

    5. If you selected RSA for the key type, select 1024 Bit, 1536 Bit, 2048 Bit, or 4096 Bit from the Key Size dropdown list.

    6. If you selected Elliptic Curve for the key type, select SECP256R1, SECP384R1, or SECP521R1 from the Curve Name dropdown list.

    7. From the ID Type dropdown list, select Host IP, Domain Name, or Email.

    8. In the IP, Domain Name, or Email field, enter the IP address, domain name, or email address.

    9. In the Country/Region dropdown list, select the country or region where the FortiSwitch unit is located.

    10. In the State/Province field, enter the state or province where the FortiSwitch unit is located.

    11. In the Locality (City) field, enter the city where the FortiSwitch unit is located.

    12. In the Organization Name field, enter the name of your organization.

    13. In the Organization Unit field, enter the business unit.

    14. In the Email field, enter your email address.

    15. In the Subject Alternative Name field, enter multiple domains to be used in an SSL certificate.

    16. Under Enrollment Method, select File-Based or Online SCEP.

    17. If you selected Online SCEP, enter the CA server URL and challenge password.

    18. Click Add.

    Generate an elliptic curve local certificate using the CLI:

    execute system certificate local generate ec <local_certificate_name> {secp256r1 | secp384r1 | secp521r1} <IP_address_domain_name_email> <country> <state> <city> <organization> <business_unit> <email> [<subject alternative name>] [<URL_of_CA_server>] [<challenge_password>] [<source_IP_address>] [<CA_identifier_of_CA_server>] [<password_for_private_key>

    For example:

    execute system certificate local generate ec localcertificate secp256r1 1.2.3.4 northamerica CA Sunnyvale Fortinet "R&D" "admin@fortinet.com"

    Generate an RSA local certificate using the CLI:

    execute system certificate local generate rsa <local_certificate_name> {1024 | 1536 | 2048 | 4096} <IP_address_domain_name_email> <country> <state> <city> <organization> <business_unit> <email> [<subject alternative name>] [<URL_of_CA_server>] [<challenge_password>] [<source_IP_address>] [<CA_identifier_of_CA_server>] [<password_for_private_key>]

    For example:

    execute system certificate local generate rsa localcertificate 1024 1.2.3.4 northamerica CA Sunnyvale Fortinet "R&D" "admin@fortinet.com"

    Previous
    Next