how to install a certificate on Fortigate 200D
Hi Experts,
I have a Fortigate 200D firewall and I have to install a new certificate.
The cert is in .pfx file.
When I try to install I always get a error message, the file is invalid.
Please can you help me ?
I have a Fortigate 200D firewall and I have to install a new certificate.
The cert is in .pfx file.
When I try to install I always get a error message, the file is invalid.
Please can you help me ?
Dave Howe
should work. are you selecting the pkcs#12 certificate type for import?
ASKER
yes when I export the pkcs#12 cert, then I get a pfx file.
Is pfx ok ?
Because in the forti docs they write it needs a .p12 file.
So what is right ?
Is pfx ok ?
Because in the forti docs they write it needs a .p12 file.
So what is right ?
ASKER
PKCS12 Certificate: Select this option if you are importing an existing certificate whose certificate file and private key are stored in a PKCS #12 (.p12) password-encrypted file.
ASKER
this is the error....
Failed to import pkcs12 file.ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK I have converted the cert in PEM mode.
Now I have 2 files created a certificate file and a key file.
Now I have 2 files created a certificate file and a key file.
ASKER
on the Fortinet I have selected the CERTIFICATE option and imported the cert successfully.
ASKER
But still I have cert errors on my mobiles and tablets.
Do I have to restart my Fortinet as well ?
Do I have to restart my Fortinet as well ?
you need to select the imported certificate for whatever purpose you are now using it for - you now have it available to select though. What role(s) do you want to use the new cert for?
I am assuming this is a commercial cert, so you don't need to add your own root to the devices.
I am assuming this is a commercial cert, so you don't need to add your own root to the devices.
ASKER
I want to use it for OWA SSL.
The Cert is in the policy selected and I can see the cert on my mobiles and tablets.
But still with problems.
The Cert is in the policy selected and I can see the cert on my mobiles and tablets.
But still with problems.
ASKER
Do I have to install the cert also on my CAS server for OWA (Exchange)
Depends on configuration. It is possible (but not the default) to reverse accelerate (that is, proxy) the https connection on the fortinet. if this is the case, then the security policy will contain the settings "webcache-https" and "ssl-server" - the latter block will specify the key (the one you imported) and the mode of MITM employed.
in full mode, the data is re-encrypted, so the CAS will require a cert (not necessarily the same cert). in half mode, the traffic to the CAS is not encrypted (so no cert needed there). In normal mode (no ssl acceleration) then the traffic is simply passed though to the CAS server (this is a bad idea, CAS servers are not known for their security and usually you put a TMG in front of them, however, the fortinet should be ok to do this function too) in which case the only cert will be on the CAS server ,and the fortinet server will not look at the traffic at all (hence, will not need the cert)
in full mode, the data is re-encrypted, so the CAS will require a cert (not necessarily the same cert). in half mode, the traffic to the CAS is not encrypted (so no cert needed there). In normal mode (no ssl acceleration) then the traffic is simply passed though to the CAS server (this is a bad idea, CAS servers are not known for their security and usually you put a TMG in front of them, however, the fortinet should be ok to do this function too) in which case the only cert will be on the CAS server ,and the fortinet server will not look at the traffic at all (hence, will not need the cert)
ASKER
ok solved.
On the fortigate I needed some more certs from Comodo, because the RSA chain was not complete.
On the fortigate I needed some more certs from Comodo, because the RSA chain was not complete.