Solved

how to install a certificate on Fortigate 200D

Posted on 2014-10-13
13
2,738 Views
Last Modified: 2014-10-14
Hi Experts,

I have a Fortigate 200D firewall and I have to install a new certificate.
The cert is in .pfx file.
When I try to install I always get a error message, the file is invalid.
Please can you help me ?
0
Comment
Question by:Eprs_Admin
  • 9
  • 4
13 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40376863
should work. are you selecting the pkcs#12 certificate type for import?
0
 

Author Comment

by:Eprs_Admin
ID: 40376970
yes when I export the pkcs#12 cert, then I get a pfx file.
Is pfx ok ?

Because in the forti docs they write it needs a .p12 file.

So what is right ?
0
 

Author Comment

by:Eprs_Admin
ID: 40376973
PKCS12 Certificate: Select this option if you are importing an existing certificate whose certificate file and private key are stored in a PKCS #12 (.p12) password-encrypted file.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:Eprs_Admin
ID: 40376978
this is the error....

Failed to import pkcs12 file.

Open in new window

0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40377202
pfx and pkcs#12 are the same thing (pfx is the microsoft name for the file type).

You can of course try importing in a different format and see if that is more successful - there is a free tool here that can import a pfx file and export the cert and key separately as PEM formatted files - suitable for the "certificate" import type.  that will also allow you to easily test that the password for the pfx file is correct (and optionally, you can export the PEM files without a password, hence will not need to specify one for importing the files)
0
 

Author Comment

by:Eprs_Admin
ID: 40379256
OK I have converted the cert in PEM mode.
Now I have 2 files created a certificate file and a key file.
0
 

Author Comment

by:Eprs_Admin
ID: 40379260
on the Fortinet I have selected the CERTIFICATE option and imported the cert successfully.
0
 

Author Comment

by:Eprs_Admin
ID: 40379262
But still I have cert errors on my mobiles and tablets.
Do I have to restart my Fortinet as well ?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40379276
you need to select the imported certificate for whatever purpose you are now using it for - you now have it available to select though.  What role(s) do you want to use the new cert for?

I am assuming this is a commercial cert, so you don't need to add your own root to the devices.
0
 

Author Comment

by:Eprs_Admin
ID: 40379297
I want to use it for OWA SSL.
The Cert is in the policy selected and I can see the cert on my mobiles and tablets.
But still with problems.
0
 

Author Comment

by:Eprs_Admin
ID: 40379299
Do I have to install the cert also on my CAS server for OWA (Exchange)
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40379357
Depends on configuration. It is possible (but not the default) to reverse accelerate (that is, proxy) the https connection on the fortinet. if this is the case, then the security policy will contain the settings "webcache-https" and "ssl-server" - the latter block will specify the key (the one you imported) and the mode of MITM employed.

in full mode, the data is re-encrypted, so the CAS will require a cert (not necessarily the same cert). in half mode, the traffic to the CAS is not encrypted (so no cert needed there). In normal mode (no ssl acceleration) then the traffic is simply passed though to the CAS server (this is a bad idea, CAS servers are not known for their security and usually you put a TMG in front of them, however, the fortinet should be ok to do this function too) in which case the only cert will be on the CAS server ,and the fortinet server will not look at the traffic at all (hence, will not need the cert)
0
 

Author Comment

by:Eprs_Admin
ID: 40379724
ok solved.
On the fortigate I needed some more certs from Comodo, because the RSA chain was not complete.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question