Solved

how to install a certificate on Fortigate 200D

Posted on 2014-10-13
13
2,430 Views
Last Modified: 2014-10-14
Hi Experts,

I have a Fortigate 200D firewall and I have to install a new certificate.
The cert is in .pfx file.
When I try to install I always get a error message, the file is invalid.
Please can you help me ?
0
Comment
Question by:Eprs_Admin
  • 9
  • 4
13 Comments
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
should work. are you selecting the pkcs#12 certificate type for import?
0
 

Author Comment

by:Eprs_Admin
Comment Utility
yes when I export the pkcs#12 cert, then I get a pfx file.
Is pfx ok ?

Because in the forti docs they write it needs a .p12 file.

So what is right ?
0
 

Author Comment

by:Eprs_Admin
Comment Utility
PKCS12 Certificate: Select this option if you are importing an existing certificate whose certificate file and private key are stored in a PKCS #12 (.p12) password-encrypted file.
0
 

Author Comment

by:Eprs_Admin
Comment Utility
this is the error....

Failed to import pkcs12 file.

Open in new window

0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
Comment Utility
pfx and pkcs#12 are the same thing (pfx is the microsoft name for the file type).

You can of course try importing in a different format and see if that is more successful - there is a free tool here that can import a pfx file and export the cert and key separately as PEM formatted files - suitable for the "certificate" import type.  that will also allow you to easily test that the password for the pfx file is correct (and optionally, you can export the PEM files without a password, hence will not need to specify one for importing the files)
0
 

Author Comment

by:Eprs_Admin
Comment Utility
OK I have converted the cert in PEM mode.
Now I have 2 files created a certificate file and a key file.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:Eprs_Admin
Comment Utility
on the Fortinet I have selected the CERTIFICATE option and imported the cert successfully.
0
 

Author Comment

by:Eprs_Admin
Comment Utility
But still I have cert errors on my mobiles and tablets.
Do I have to restart my Fortinet as well ?
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
you need to select the imported certificate for whatever purpose you are now using it for - you now have it available to select though.  What role(s) do you want to use the new cert for?

I am assuming this is a commercial cert, so you don't need to add your own root to the devices.
0
 

Author Comment

by:Eprs_Admin
Comment Utility
I want to use it for OWA SSL.
The Cert is in the policy selected and I can see the cert on my mobiles and tablets.
But still with problems.
0
 

Author Comment

by:Eprs_Admin
Comment Utility
Do I have to install the cert also on my CAS server for OWA (Exchange)
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
Depends on configuration. It is possible (but not the default) to reverse accelerate (that is, proxy) the https connection on the fortinet. if this is the case, then the security policy will contain the settings "webcache-https" and "ssl-server" - the latter block will specify the key (the one you imported) and the mode of MITM employed.

in full mode, the data is re-encrypted, so the CAS will require a cert (not necessarily the same cert). in half mode, the traffic to the CAS is not encrypted (so no cert needed there). In normal mode (no ssl acceleration) then the traffic is simply passed though to the CAS server (this is a bad idea, CAS servers are not known for their security and usually you put a TMG in front of them, however, the fortinet should be ok to do this function too) in which case the only cert will be on the CAS server ,and the fortinet server will not look at the traffic at all (hence, will not need the cert)
0
 

Author Comment

by:Eprs_Admin
Comment Utility
ok solved.
On the fortigate I needed some more certs from Comodo, because the RSA chain was not complete.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now