Installing GoDaddy SSL Certificates on FortiGate Firewalls: A Technical Investigation

February 03, 2026.

Step-by-step guide to installing GoDaddy SSL certificates on FortiGate firewalls, covering certificate preparation, import procedures, and troubleshooting common issues.

The Certificate Chain Conundrum

Deploying a GoDaddy-issued SSL certificate on a FortiGate firewall presents administrators with a deceptively complex challenge. While the vendor's documentation outlines generic certificate import procedures, the practical implementation reveals nuanced requirements around certificate chain handling, format compatibility, and service binding that demand careful attention.

Prerequisites: Domain Verification and Architecture Constraints

Before initiating certificate procurement, administrators must establish a verifiable domain relationship. GoDaddy's validation protocols require DNS-based ownership confirmation, meaning the FortiGate's public-facing interface must resolve to a registered domain name. This requirement creates an architectural constraint for deployments relying on private IP addresses or captive portal redirection: publicly trusted certificates cannot be issued for non-routable addresses, forcing administrators to implement DNS hostnames that resolve to the firewall's external interface.

Wildcard certificates introduce additional considerations. While GoDaddy issues wildcard certificates covering *.domain.com, FortiGate's certificate parser occasionally rejects these during direct import attempts, particularly when generated through external systems like Microsoft IIS. This incompatibility stems from differences in how certificate authorities encode extended key usage fields and how FortiOS validates certificate structures.

Certificate Preparation: Beyond the Download Button

Generating the Certificate Signing Request

The process begins with CSR generation. FortiGate supports native CSR creation through its certificate management interface, but administrators frequently generate requests externally for greater control over key parameters. When using external tools, ensure the following specifications:

• RSA key size: 2048 bits minimum (4096 recommended for long-term deployments)
• Signature algorithm: SHA-256
• Subject Alternative Names: Include all hostnames requiring certificate validation
• Key usage: Digital signature, key encipherment, and server authentication flags

Downloading and Extracting GoDaddy Certificate Files

Upon validation completion, GoDaddy delivers certificates via email or account dashboard. Select "Other" as the server type during download to receive PEM-formatted files compatible with FortiOS. The archive typically contains:

1. Primary certificate (your_domain.crt): The leaf certificate bound to your domain
2. Intermediate bundle (gd_bundle-g2.crt): Chain certificates linking your certificate to GoDaddy's root
3. Root certificate (optional): GoDaddy's root CA, usually pre-installed in FortiOS trust stores

Extract these files to a secure, accessible location. Preserve file permissions and avoid editing certificate content—any modification to PEM encoding invalidates the cryptographic signature.

Import Procedures: GUI and CLI Pathways

Method One: Web Interface Import

The graphical interface provides the most straightforward import mechanism:

1. Authenticate to the FortiGate administrative interface
2. Navigate to System > Certificates
3. Select Import > Local Certificate
4. Browse to the primary certificate file and confirm upload
5. Repeat the process using Import > CA Certificate for the intermediate bundle

Successful import manifests as a status change from "PENDING" to "OK" in the certificate list. The intermediate certificate appears separately under the CA Certificates section, establishing the trust chain required for client validation.

Method Two: CLI Import for Complex Scenarios

When GUI import fails—common with wildcard certificates or non-standard encoding—the command-line interface offers granular control:

config vpn certificate local     edit "sslvpn_cert"         set certificate "-----BEGIN CERTIFICATE----- [Paste primary certificate content here] -----END CERTIFICATE-----"         set private-key "-----BEGIN PRIVATE KEY----- [Paste private key content if importing separately] -----END PRIVATE KEY-----"     next end 

For intermediate certificates, use the config vpn certificate ca context with identical syntax. This method bypasses file parsing limitations that occasionally trigger "imported local certificate is invalid" errors during GUI operations.

Wildcard Certificate Conversion Workflow

When direct import of GoDaddy wildcard certificates fails, OpenSSL conversion resolves format incompatibilities. Export the certificate from its source system as a PKCS#12 (.pfx) file, then execute:

openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer openssl pkcs12 -in domain.pfx -nocerts -nodes -out domain.key 

These commands extract the public certificate and private key into separate PEM files compatible with FortiOS import routines. Import both files using the procedures outlined above, ensuring the private key remains protected with appropriate file permissions.

Service Binding: Activating the Certificate

Import alone does not activate certificate functionality. Administrators must explicitly assign certificates to services requiring SSL/TLS termination.

SSL VPN Configuration

For remote access VPN services:

1. Navigate to VPN > SSL > Settings
2. Locate the Server Certificate dropdown within Connection Settings
3. Select the imported certificate from the available options
4. Apply changes and verify connectivity

Administrative Interface and Captive Portal

Securing administrative access follows a similar pattern within System > Admin Settings. Captive portal deployments require additional DNS configuration: the redirection URL must reference a hostname covered by the certificate, not an IP address, to prevent browser trust warnings.

Troubleshooting Common Deployment Failures

Certificate Chain Validation Errors

Client browsers reporting untrusted connections despite successful import typically indicate missing intermediate certificates. FortiGate does not automatically bundle intermediate CAs with leaf certificates during TLS handshakes. Verify both the primary and intermediate certificates appear in the certificate list, and confirm the intermediate is designated as a CA certificate.

Format and Encoding Issues

The "imported local certificate is invalid" message frequently stems from PEM formatting inconsistencies. Ensure certificate files:

• Begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----
• Contain no extraneous whitespace or encoding artifacts
• Use Unix-style line endings (LF) rather than Windows-style (CRLF)

When uncertainty persists, paste certificate content directly via CLI import to bypass file parsing routines.

Private IP and Hostname Mismatches

Certificates issued for portal.example.com will trigger warnings when users access 192.168.1.1. This behavior reflects fundamental PKI design, not configuration error. Resolve by implementing DNS records that map hostnames to the FortiGate's public IP and configuring all user-facing services to reference these hostnames exclusively.

Frequently Asked Questions

Q: Can I use a GoDaddy certificate for a FortiGate captive portal with a private IP address?

A: No. Public certificate authorities like GoDaddy cannot issue certificates for private IP addresses or unregistered hostnames. Implement a publicly resolvable DNS hostname that points to your FortiGate's external interface, then configure the captive portal to redirect users to that hostname.

Q: Why does my imported GoDaddy certificate show as invalid in FortiGate?

A: Common causes include missing intermediate certificates, PEM formatting errors, or attempting to import a PKCS#12 file directly. Verify you have imported both the primary certificate and GoDaddy's intermediate bundle, and ensure files use proper PEM encoding. When issues persist, use CLI import with direct certificate content pasting.

Q: How do I renew an expiring GoDaddy certificate on FortiGate without service interruption?

A: Generate a new CSR before the existing certificate expires, submit it to GoDaddy for reissuance, and import the renewed certificate using the same name as the expiring one. FortiGate automatically updates service bindings when certificate names match, minimizing configuration overhead.

Q: Do I need to import GoDaddy's root certificate into FortiGate?

A: Typically no. FortiOS includes major public root CAs in its default trust store. Import only the intermediate certificate bundle provided by GoDaddy, as this establishes the chain between your leaf certificate and the already-trusted root.

Q: Can I use the same GoDaddy wildcard certificate across multiple FortiGate devices?

A: Yes, provided each device possesses the corresponding private key. Export the certificate and private key as a PKCS#12 file from the originating system, then import both components to each FortiGate using the OpenSSL conversion method if direct import fails.