Home

Mastering SSL Certificate Installation on FortiGate Firewall: A Comprehensive Guide for Secure Network Operations

.

In an era where cyber threats loom large at every digital corner, the humble SSL certificate has become the bedrock of secure communication. For organizations relying on Fortinet's FortiGate next-generation firewalls, properly installing and managing SSL certificates is not just an IT task—it's a critical security imperative. Whether securing administrative access to the firewall itself or enabling safe SSL VPN connections for a remote workforce, a correctly configured certificate eliminates browser warnings, thwarts man-in-the-middle attacks, and ensures data integrity.

This comprehensive guide synthesizes technical documentation from Fortinet, leading Certificate Authorities (CAs) like DigiCert and Sectigo, and industry best practices to provide network administrators with a definitive resource for installing SSL certificates on FortiGate firewalls.

Why a Valid SSL Certificate Matters for Your FortiGate

When a FortiGate firewall uses its default self-signed certificate for HTTPS administrative access or SSL VPN connections, end users and administrators are greeted with ominous security warnings. According to Fortinet Community documentation, these warnings often lead users to blindly click "Continue," inadvertently training them to bypass security protocols—a dangerous habit.

A certificate signed by a trusted third-party Certificate Authority accomplishes three essential goals:

  • Authentication: Proves that clients are communicating with the legitimate FortiGate device
  • Encryption: Secures data in transit against eavesdropping
  • Data Integrity: Ensures information cannot be tampered with during transmission

Understanding FortiGate Certificate Types

Before diving into installation procedures, it's crucial to understand how FortiGate organizes certificates. Navigate to System > Certificates (enable under Feature Visibility if necessary) to view four distinct sections:

Certificate Type Description Common Use Cases
Local CA Certificate Default certificates generated at first boot; root CA certificates imported with private key SSL inspection, internal CA functions
Local Certificate Certificates installed with private key (PEM + private key or PKCS12) GUI access, SSL VPN, site-to-site VPN, virtual server SSL offloading
Remote CA Certificate CA certificates used to trust other certificates LDAPS, PKI authentication, SSL VPN client CA
Remote Certificate Certificates imported without private key SSO configurations, FSSO trusted certificates

Pre-Installation Requirements and Considerations

Critical SAN Requirements

Modern browsers mandate that certificates include the exact address used to access the FortiGate in the Subject Alternative Name (SAN) field. As highlighted in Fortinet's technical documentation:

  • Access via IP (e.g., https://192.0.2.1) → Certificate SAN must include that IP
  • Access via FQDN (e.g., https://firewall.company.com) → Certificate SAN must include the domain or wildcard

Domain Name Necessity

A signed certificate requires a registered domain name. Options include:

  • Purchasing a domain and configuring an A record pointing to your public IP
  • Using FortiDDNS (available with valid FortiGuard subscription)
  • Note: Many CAs will not sign certificates for intranet names or bare IP addresses

Method 1: Generating CSR on FortiGate (Recommended Approach)

This method keeps the private key secure on the FortiGate throughout the process.

Step 1: Generate Certificate Signing Request

  1. Navigate to System > Certificates
  2. Click Generate (or Create/Import > Generate CSR)

  3. Configure the request:

    • Name: Unique identifier for the certificate
    • ID Type: Domain Name
    • Domain Name: Your registered FQDN
    • Email: Administrative contact
    • Key Size: 2048 Bit (minimum)
    • Enrollment Method: File Based

  4. Click OK—the CSR appears with "PENDING" status

  5. Select the CSR and click Download to save the file

Step 2: Submit CSR to Certificate Authority

  1. Log into your chosen CA account (DigiCert, Sectigo, GlobalSign, etc.)
  2. Locate SSL certificate purchase/management section
  3. Upload the CSR file or paste its contents
  4. Complete domain validation as required by the CA
  5. Download the issued certificate package when available

Step 3: Import the Signed Certificate

The import procedure varies based on certificate format:

Scenario A: CSR Generated on FortiGate (PEM/CRT/CER format)

  1. Navigate to System > Certificates
  2. Click Create/Import > Certificate > Import Certificate
  3. Select Local Certificate
  4. Upload the certificate file (if .crt, rename to .cer if needed)
  5. Click Create

Scenario B: Third-Party CSR with PEM Certificate + Private Key

  1. Navigate to System > Certificates
  2. Select Import > Local Certificate
  3. Upload the PEM certificate and private key files
  4. Create a password (used to merge certificate and key)
  5. Provide a certificate name
  6. Click Create

Scenario C: PFX/PKCS12 Certificate

  1. Navigate to System > Certificates
  2. Select Import > Local Certificate and choose PKCS12 format
  3. Upload the PFX file
  4. Enter the passphrase provided by the CA
  5. Click Create

Step 4: Import Intermediate CA Certificate

Most certificates require intermediate CA certificates for proper trust chain validation:

  1. Navigate to System > Certificates
  2. Click Import > CA Certificate
  3. Upload the intermediate certificate file (typically named "CA-bundle" or similar)
  4. Click OK
  5. Verify the certificate appears in "CA Certificates" section

Method 2: Using Third-Party Generated CSR

If your CSR was generated externally, ensure you have both the signed certificate and the corresponding private key. Follow Scenario B or C above based on your certificate format.

Assigning the Certificate to FortiGate Services

For HTTPS Administrative Access

GUI Method:

  1. Navigate to System > Settings
  2. Under Administration Settings, locate HTTPS server certificate
  3. Select your newly imported certificate from the dropdown
  4. Click Apply (you will be logged out)

CLI Method:

config system global     set admin-server-cert "Your_Certificate_Name" end

For SSL VPN

  1. Navigate to VPN > SSL-VPN Settings
  2. Under Connection Settings, find Server Certificate
  3. Select your certificate from the dropdown
  4. Configure additional VPN settings as needed
  5. Click Apply

Troubleshooting Common Issues

"No private key matches this certificate" Error

According to Fortinet Community forums, this occurs when attempting to import a certificate without the corresponding private key. Solutions include:

  • Regenerating the CSR on the FortiGate
  • Ensuring PFX/PKCS12 files include the private key and using correct passphrase

Certificate Not Trusted by Browsers

Potential causes and resolutions:

  • Missing intermediate certificate: Import all CA certificates in the chain
  • SAN mismatch: Verify certificate includes the access domain/IP
  • Expired certificate: Check validity dates
  • Self-signed: Replace with CA-signed certificate
  • Revoked: Obtain new certificate

SSL VPN Connection Failures

If VPN users cannot connect after certificate change:

  1. Verify the certificate is selected in SSL-VPN Settings
  2. Confirm the certificate is trusted on client devices (install CA chain if using internal CA)
  3. Check that firewall policies allow SSL-VPN traffic

Alternative Solutions and Advanced Options

Let's Encrypt Integration

Fortinet documentation mentions Automated Certificate Management Environment (ACME) support, enabling free certificates from Let's Encrypt. This automates the renewal process and eliminates manual intervention.

FortiGate as Internal CA

Organizations can use FortiGate's local CA capabilities for internal services, though client devices must trust the FortiGate CA certificate.

Certificate Renewal Process

When renewing an existing certificate:

  1. Generate a new CSR (do not reuse old CSR)
  2. Submit to CA for re-issuance
  3. Import new certificate alongside old (both can coexist)
  4. Update service assignments to new certificate
  5. Remove old certificate after verification

Best Practices Summary

  • Always generate CSR on FortiGate when possible to maintain private key security
  • Include SAN entries matching all access methods (IP and FQDN)
  • Maintain certificate inventory with expiration tracking
  • Backup certificates and keys securely
  • Test certificate installation before assigning to production services
  • Monitor certificate expiry and initiate renewal 30+ days prior
  • Document the process for consistency across your organization

Conclusion

Installing an SSL certificate on a FortiGate firewall is a straightforward process when approached methodically. Whether securing administrative interfaces or enabling remote workforce connectivity through SSL VPN, a properly configured certificate eliminates security warnings, builds user trust, and maintains the robust security posture that FortiGate devices are known for.

By following the procedures outlined in this guide—generating CSRs correctly, importing certificates with attention to format requirements, and properly assigning certificates to services—network administrators can ensure their FortiGate deployments deliver both security and seamless user experience.

Frequently Asked Questions

What certificate formats does FortiGate support?

FortiGate supports PEM, PKCS12 (PFX), CER, and CRT formats. For PEM certificates without a private key, the private key file must be provided separately unless the CSR was generated on the FortiGate.

Can I use the same SSL certificate for both HTTPS admin access and SSL VPN?

Yes, a single certificate can be assigned to multiple services. Navigate to System > Settings for HTTPS and VPN > SSL-VPN Settings for VPN, selecting the same certificate in both locations.

Why am I getting a "Certificate not trusted" error after installation?

This typically indicates missing intermediate CA certificates, an incomplete certificate chain, or the certificate being self-signed. Import all CA certificates provided by your certificate authority and verify the certificate is signed by a publicly trusted CA.

Do I need a public IP address for my SSL certificate?

The certificate must be valid for the name or IP used to access the FortiGate. While you can use a public FQDN pointing to your firewall's public IP, internal access via private IP requires that IP address be included in the certificate's SAN field.

How do I renew an expiring certificate on FortiGate?

Generate a new CSR on the FortiGate (do not reuse the old CSR), submit it to your CA for renewal, import the newly issued certificate alongside the existing one, update service assignments to use the new certificate, and finally remove the old certificate after confirming functionality.

What is the difference between Local Certificate and Remote Certificate?

Local Certificates include the private key and represent the FortiGate's identity. Remote Certificates are public certificates without private keys, used to verify the identity of remote peers or services.

Can I install a wildcard certificate on FortiGate?

Yes, FortiGate fully supports wildcard certificates (*.domain.com). Ensure the CSR includes the wildcard domain and the certificate is issued accordingly.

My PFX import fails with "Invalid password" – what should I do?

Verify the passphrase exactly as provided by your CA, including case sensitivity and special characters. If the PFX was exported from another system, ensure you have the correct export password. Some CAs provide the passphrase in a separate email or within the certificate download package.

How do I verify my certificate is correctly installed?

Check the certificate details in System > Certificates – the status should show "OK" rather than "PENDING". Access your FortiGate via HTTPS and examine the certificate details in your browser; it should show as valid with complete trust chain.

Is it possible to automate certificate renewal on FortiGate?

Yes, FortiGate supports ACME protocol for automated certificate management, compatible with Let's Encrypt and other ACME-compliant CAs. This enables automatic renewal and installation without manual intervention.

Always refer to your specific FortiOS version documentation for version-specific instructions.