Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

how to install a certificate on Fortigate 200D

Posted on 2014-10-13
13
Medium Priority
?
3,667 Views
Last Modified: 2014-10-14
Hi Experts,

I have a Fortigate 200D firewall and I have to install a new certificate.
The cert is in .pfx file.
When I try to install I always get a error message, the file is invalid.
Please can you help me ?
0
Comment
Question by:Eprs_Admin
  • 9
  • 4
13 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40376863
should work. are you selecting the pkcs#12 certificate type for import?
0
 

Author Comment

by:Eprs_Admin
ID: 40376970
yes when I export the pkcs#12 cert, then I get a pfx file.
Is pfx ok ?

Because in the forti docs they write it needs a .p12 file.

So what is right ?
0
 

Author Comment

by:Eprs_Admin
ID: 40376973
PKCS12 Certificate: Select this option if you are importing an existing certificate whose certificate file and private key are stored in a PKCS #12 (.p12) password-encrypted file.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:Eprs_Admin
ID: 40376978
this is the error....

Failed to import pkcs12 file.

Open in new window

0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 2000 total points
ID: 40377202
pfx and pkcs#12 are the same thing (pfx is the microsoft name for the file type).

You can of course try importing in a different format and see if that is more successful - there is a free tool here that can import a pfx file and export the cert and key separately as PEM formatted files - suitable for the "certificate" import type.  that will also allow you to easily test that the password for the pfx file is correct (and optionally, you can export the PEM files without a password, hence will not need to specify one for importing the files)
0
 

Author Comment

by:Eprs_Admin
ID: 40379256
OK I have converted the cert in PEM mode.
Now I have 2 files created a certificate file and a key file.
0
 

Author Comment

by:Eprs_Admin
ID: 40379260
on the Fortinet I have selected the CERTIFICATE option and imported the cert successfully.
0
 

Author Comment

by:Eprs_Admin
ID: 40379262
But still I have cert errors on my mobiles and tablets.
Do I have to restart my Fortinet as well ?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40379276
you need to select the imported certificate for whatever purpose you are now using it for - you now have it available to select though.  What role(s) do you want to use the new cert for?

I am assuming this is a commercial cert, so you don't need to add your own root to the devices.
0
 

Author Comment

by:Eprs_Admin
ID: 40379297
I want to use it for OWA SSL.
The Cert is in the policy selected and I can see the cert on my mobiles and tablets.
But still with problems.
0
 

Author Comment

by:Eprs_Admin
ID: 40379299
Do I have to install the cert also on my CAS server for OWA (Exchange)
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40379357
Depends on configuration. It is possible (but not the default) to reverse accelerate (that is, proxy) the https connection on the fortinet. if this is the case, then the security policy will contain the settings "webcache-https" and "ssl-server" - the latter block will specify the key (the one you imported) and the mode of MITM employed.

in full mode, the data is re-encrypted, so the CAS will require a cert (not necessarily the same cert). in half mode, the traffic to the CAS is not encrypted (so no cert needed there). In normal mode (no ssl acceleration) then the traffic is simply passed though to the CAS server (this is a bad idea, CAS servers are not known for their security and usually you put a TMG in front of them, however, the fortinet should be ok to do this function too) in which case the only cert will be on the CAS server ,and the fortinet server will not look at the traffic at all (hence, will not need the cert)
0
 

Author Comment

by:Eprs_Admin
ID: 40379724
ok solved.
On the fortigate I needed some more certs from Comodo, because the RSA chain was not complete.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question