Manage Certificates

FortiGate uses certificates for: HTTPS admin GUI, SSL VPN portal, IPsec auth (when using cert mode), deep SSL inspection, server certs for inbound services. Each role has its own cert; manage all from one screen.

Cert Types on FortiGate

• Local Certificates — owned by the FortiGate (CN matches the FortiGate's services). Used for HTTPS, SSL VPN, etc.
• CA Certificates — trusted certificate authorities. Used to verify other parties' certs (e.g. LDAP server, deep SSL inspection signing).
• Remote Certificates — certs from other parties (LDAP servers, etc.).
• Certificate Signing Requests (CSRs) — pending requests waiting for CA signature.

Steps

Generate a CSR for a new cert

When you need a public cert from a commercial CA:

1. System → Certificates → + Create / Import → Generate CSR.
2. Fill in:
   • Certificate Name — internal name, e.g. vpn-portal-2026.
   • Subject Information — CN (FQDN), Org, Org Unit, Locality, State, Country, Email.
   • Subject Alternative Names — extra FQDNs the cert should cover.
   • Key Type — RSA or Elliptic Curve.
   • Key Size — 2048 minimum, 4096 preferred.
   • Enrollment Method — File-Based (download CSR, submit to CA manually) or Online SCEP/EST (if your CA supports it).
3. Generate. Download the CSR .req file.
4. Submit to your CA, get the signed cert back.
5. System → Certificates → click the pending CSR → Import Local Certificate → upload signed cert.

Import an existing cert (PEM/PKCS12)

1. System → Certificates → + Create / Import → Certificate.
2. Type:
   • Certificate — upload a .crt / .pem + private key.
   • PKCS #12 Certificate — upload a .p12 / .pfx.
3. Provide files + password (for PKCS12).
4. Certificate Name — friendly name.
5. OK.

Generate a Let's Encrypt cert (FortiOS 7.2+)

1. System → Certificates → + Create / Import → Certificate → Let's Encrypt.
2. Certificate Name — friendly name.
3. Domain — the FQDN.
4. Email — for LE renewal notices.
5. Apply. FortiGate runs the HTTP-01 challenge against LE servers.

Requirements: - Public DNS for the domain pointing at this FortiGate's WAN IP. - TCP/80 open inbound (LE validates via HTTP). - A firewall policy allowing the validation traffic.

📸 Screenshot needed

System → Certificates page showing the list with multiple certs, plus the Generate CSR dialog open.

Assign a cert to a service

• HTTPS admin GUI: config system global; set admin-server-cert <name>; end.
• SSL VPN: VPN → SSL-VPN Settings → Server Certificate.
• Server cert for inbound proxy: select in the relevant proxy config.

CLI Equivalent (import)

# Local cert (PEM):
config certificate local
edit "vpn-portal-2026"
    set cert "-----BEGIN CERTIFICATE-----
..."
    set private-key "-----BEGIN PRIVATE KEY-----
..."
next
end

# CA cert:
config certificate ca
edit "MyCA"
    set ca "-----BEGIN CERTIFICATE-----
..."
next
end

Verify

get vpn certificate local
get vpn certificate ca

From outside, check what cert is being served:

openssl s_client -connect <fortigate-fqdn>:443 -servername <fortigate-fqdn> < /dev/null \
  | openssl x509 -noout -subject -issuer -dates

Common Issues

• Browser warns about cert. Cert is self-signed, expired, or CN mismatch. Get a proper cert from LE or commercial CA.
• SSL VPN cert change doesn't apply. Restart SSL VPN: diagnose vpn ssl restart or reboot.
• Cert imported, can't select for HTTPS. Cert is missing the private key, or wrong key type. Re-import.
• Let's Encrypt fails: "domain not reachable." Public DNS / firewall issue. Check curl http://<fqdn>/ from outside.
• PKCS12 import fails. Wrong password. Re-extract .p12.

Related Pages

• First Login and the Dashboard
• SSL VPN Tunnel Mode
• Configure SSL/TLS Inspection