Solved

how to install a certificate on Fortigate 200D

Posted on 2014-10-13
13
2,865 Views
Last Modified: 2014-10-14
Hi Experts,

I have a Fortigate 200D firewall and I have to install a new certificate.
The cert is in .pfx file.
When I try to install I always get a error message, the file is invalid.
Please can you help me ?
0
Comment
Question by:Eprs_Admin
  • 9
  • 4
13 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40376863
should work. are you selecting the pkcs#12 certificate type for import?
0
 

Author Comment

by:Eprs_Admin
ID: 40376970
yes when I export the pkcs#12 cert, then I get a pfx file.
Is pfx ok ?

Because in the forti docs they write it needs a .p12 file.

So what is right ?
0
 

Author Comment

by:Eprs_Admin
ID: 40376973
PKCS12 Certificate: Select this option if you are importing an existing certificate whose certificate file and private key are stored in a PKCS #12 (.p12) password-encrypted file.
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 

Author Comment

by:Eprs_Admin
ID: 40376978
this is the error....

Failed to import pkcs12 file.

Open in new window

0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40377202
pfx and pkcs#12 are the same thing (pfx is the microsoft name for the file type).

You can of course try importing in a different format and see if that is more successful - there is a free tool here that can import a pfx file and export the cert and key separately as PEM formatted files - suitable for the "certificate" import type.  that will also allow you to easily test that the password for the pfx file is correct (and optionally, you can export the PEM files without a password, hence will not need to specify one for importing the files)
0
 

Author Comment

by:Eprs_Admin
ID: 40379256
OK I have converted the cert in PEM mode.
Now I have 2 files created a certificate file and a key file.
0
 

Author Comment

by:Eprs_Admin
ID: 40379260
on the Fortinet I have selected the CERTIFICATE option and imported the cert successfully.
0
 

Author Comment

by:Eprs_Admin
ID: 40379262
But still I have cert errors on my mobiles and tablets.
Do I have to restart my Fortinet as well ?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40379276
you need to select the imported certificate for whatever purpose you are now using it for - you now have it available to select though.  What role(s) do you want to use the new cert for?

I am assuming this is a commercial cert, so you don't need to add your own root to the devices.
0
 

Author Comment

by:Eprs_Admin
ID: 40379297
I want to use it for OWA SSL.
The Cert is in the policy selected and I can see the cert on my mobiles and tablets.
But still with problems.
0
 

Author Comment

by:Eprs_Admin
ID: 40379299
Do I have to install the cert also on my CAS server for OWA (Exchange)
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40379357
Depends on configuration. It is possible (but not the default) to reverse accelerate (that is, proxy) the https connection on the fortinet. if this is the case, then the security policy will contain the settings "webcache-https" and "ssl-server" - the latter block will specify the key (the one you imported) and the mode of MITM employed.

in full mode, the data is re-encrypted, so the CAS will require a cert (not necessarily the same cert). in half mode, the traffic to the CAS is not encrypted (so no cert needed there). In normal mode (no ssl acceleration) then the traffic is simply passed though to the CAS server (this is a bad idea, CAS servers are not known for their security and usually you put a TMG in front of them, however, the fortinet should be ok to do this function too) in which case the only cert will be on the CAS server ,and the fortinet server will not look at the traffic at all (hence, will not need the cert)
0
 

Author Comment

by:Eprs_Admin
ID: 40379724
ok solved.
On the fortigate I needed some more certs from Comodo, because the RSA chain was not complete.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
wild fly 8 startup error 2 43
Avast Internet Security blocking QuickBooks 2017 email 10 133
VPN Tunnel Stops Working Cisco RV130W 18 54
Port forwarding on ubuntu 8 25
It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question