Solved

how to install a certificate on Fortigate 200D

Posted on 2014-10-13
13
2,646 Views
Last Modified: 2014-10-14
Hi Experts,

I have a Fortigate 200D firewall and I have to install a new certificate.
The cert is in .pfx file.
When I try to install I always get a error message, the file is invalid.
Please can you help me ?
0
Comment
Question by:Eprs_Admin
  • 9
  • 4
13 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40376863
should work. are you selecting the pkcs#12 certificate type for import?
0
 

Author Comment

by:Eprs_Admin
ID: 40376970
yes when I export the pkcs#12 cert, then I get a pfx file.
Is pfx ok ?

Because in the forti docs they write it needs a .p12 file.

So what is right ?
0
 

Author Comment

by:Eprs_Admin
ID: 40376973
PKCS12 Certificate: Select this option if you are importing an existing certificate whose certificate file and private key are stored in a PKCS #12 (.p12) password-encrypted file.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Eprs_Admin
ID: 40376978
this is the error....

Failed to import pkcs12 file.

Open in new window

0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40377202
pfx and pkcs#12 are the same thing (pfx is the microsoft name for the file type).

You can of course try importing in a different format and see if that is more successful - there is a free tool here that can import a pfx file and export the cert and key separately as PEM formatted files - suitable for the "certificate" import type.  that will also allow you to easily test that the password for the pfx file is correct (and optionally, you can export the PEM files without a password, hence will not need to specify one for importing the files)
0
 

Author Comment

by:Eprs_Admin
ID: 40379256
OK I have converted the cert in PEM mode.
Now I have 2 files created a certificate file and a key file.
0
 

Author Comment

by:Eprs_Admin
ID: 40379260
on the Fortinet I have selected the CERTIFICATE option and imported the cert successfully.
0
 

Author Comment

by:Eprs_Admin
ID: 40379262
But still I have cert errors on my mobiles and tablets.
Do I have to restart my Fortinet as well ?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40379276
you need to select the imported certificate for whatever purpose you are now using it for - you now have it available to select though.  What role(s) do you want to use the new cert for?

I am assuming this is a commercial cert, so you don't need to add your own root to the devices.
0
 

Author Comment

by:Eprs_Admin
ID: 40379297
I want to use it for OWA SSL.
The Cert is in the policy selected and I can see the cert on my mobiles and tablets.
But still with problems.
0
 

Author Comment

by:Eprs_Admin
ID: 40379299
Do I have to install the cert also on my CAS server for OWA (Exchange)
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40379357
Depends on configuration. It is possible (but not the default) to reverse accelerate (that is, proxy) the https connection on the fortinet. if this is the case, then the security policy will contain the settings "webcache-https" and "ssl-server" - the latter block will specify the key (the one you imported) and the mode of MITM employed.

in full mode, the data is re-encrypted, so the CAS will require a cert (not necessarily the same cert). in half mode, the traffic to the CAS is not encrypted (so no cert needed there). In normal mode (no ssl acceleration) then the traffic is simply passed though to the CAS server (this is a bad idea, CAS servers are not known for their security and usually you put a TMG in front of them, however, the fortinet should be ok to do this function too) in which case the only cert will be on the CAS server ,and the fortinet server will not look at the traffic at all (hence, will not need the cert)
0
 

Author Comment

by:Eprs_Admin
ID: 40379724
ok solved.
On the fortigate I needed some more certs from Comodo, because the RSA chain was not complete.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA and Watchguard firewall 2 38
clear arp 1 29
PCI compliance 16 32
Voicemail on Cisco Unity Express unit has quit working 6 27
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question