how to install a certificate on Fortigate 200D

Hi Experts,

I have a Fortigate 200D firewall and I have to install a new certificate.
The cert is in .pfx file.
When I try to install I always get a error message, the file is invalid.
Please can you help me ?
Eprs_AdminSystem ArchitectAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave HoweSoftware and Hardware EngineerCommented:
should work. are you selecting the pkcs#12 certificate type for import?
0
Eprs_AdminSystem ArchitectAuthor Commented:
yes when I export the pkcs#12 cert, then I get a pfx file.
Is pfx ok ?

Because in the forti docs they write it needs a .p12 file.

So what is right ?
0
Eprs_AdminSystem ArchitectAuthor Commented:
PKCS12 Certificate: Select this option if you are importing an existing certificate whose certificate file and private key are stored in a PKCS #12 (.p12) password-encrypted file.
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

Eprs_AdminSystem ArchitectAuthor Commented:
this is the error....

Failed to import pkcs12 file.

Open in new window

0
Dave HoweSoftware and Hardware EngineerCommented:
pfx and pkcs#12 are the same thing (pfx is the microsoft name for the file type).

You can of course try importing in a different format and see if that is more successful - there is a free tool here that can import a pfx file and export the cert and key separately as PEM formatted files - suitable for the "certificate" import type.  that will also allow you to easily test that the password for the pfx file is correct (and optionally, you can export the PEM files without a password, hence will not need to specify one for importing the files)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Eprs_AdminSystem ArchitectAuthor Commented:
OK I have converted the cert in PEM mode.
Now I have 2 files created a certificate file and a key file.
0
Eprs_AdminSystem ArchitectAuthor Commented:
on the Fortinet I have selected the CERTIFICATE option and imported the cert successfully.
0
Eprs_AdminSystem ArchitectAuthor Commented:
But still I have cert errors on my mobiles and tablets.
Do I have to restart my Fortinet as well ?
0
Dave HoweSoftware and Hardware EngineerCommented:
you need to select the imported certificate for whatever purpose you are now using it for - you now have it available to select though.  What role(s) do you want to use the new cert for?

I am assuming this is a commercial cert, so you don't need to add your own root to the devices.
0
Eprs_AdminSystem ArchitectAuthor Commented:
I want to use it for OWA SSL.
The Cert is in the policy selected and I can see the cert on my mobiles and tablets.
But still with problems.
0
Eprs_AdminSystem ArchitectAuthor Commented:
Do I have to install the cert also on my CAS server for OWA (Exchange)
0
Dave HoweSoftware and Hardware EngineerCommented:
Depends on configuration. It is possible (but not the default) to reverse accelerate (that is, proxy) the https connection on the fortinet. if this is the case, then the security policy will contain the settings "webcache-https" and "ssl-server" - the latter block will specify the key (the one you imported) and the mode of MITM employed.

in full mode, the data is re-encrypted, so the CAS will require a cert (not necessarily the same cert). in half mode, the traffic to the CAS is not encrypted (so no cert needed there). In normal mode (no ssl acceleration) then the traffic is simply passed though to the CAS server (this is a bad idea, CAS servers are not known for their security and usually you put a TMG in front of them, however, the fortinet should be ok to do this function too) in which case the only cert will be on the CAS server ,and the fortinet server will not look at the traffic at all (hence, will not need the cert)
0
Eprs_AdminSystem ArchitectAuthor Commented:
ok solved.
On the fortigate I needed some more certs from Comodo, because the RSA chain was not complete.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.