Why SSL ?
A signed SSL certificate can be used when configuring SSL VPN, for administrator GUI access, and for other functions that require a ssl certificate.
N.B : Before creating a certificate, you must have a registered domain. With a valid FortiGuard subscription.
Steps :
Follow these instructions to purchase, import, and use the signed SSL :
1.) Generate a CSR on Fortigate, You can now open the CSR with any text editor (e.g., Notepad) and copy-paste its contents, including the BEGIN and END tags during your SSL order.
2.) After the CA validates your CSR, it will issue the SSL certificate via email in an archived ZIP folder. Download the folder to your computer and extract its contents and finally Import the signed certificate into your FortiGate. There should be two CRT files: a CA certificate with bundle in the file name, and a local certificate.
3.) Configure your FortiGate device to use the signed certificate
Importing your SSL Certificate to Fortigate:
Log into your FortiGate System.
Browse to System > Certificates.
Select Import > Local Certificate.
Browse to the location and path of your SSL certificate.
Choose the local certificate (.crt) and Click OK
Now the status of the certificate will change from PENDING (Which was showing pending since the csr generation) to OK.
Importing your Intermediate CA:
Browse to System > Certificates.
Select Import > CA Certificate.
Browse to the location and path of your Intermediate CA certificate (.ca-bundle file), if required you can even convert the .ca-bundle file to .crt before importing the same.
Click OK.
Now your Intermediate CA should be under the CA Certificate section of the certificates list after the successfull import.
Configuring your FortiGate VPN to use Signed certificate:
Login to FortiGate System then Browse to VPN > SSL-VPN Settings.
In the Connection Settings section under the “Server Certificate” drop down select your new SSL certificate.
Click Apply
You have configured the Foritgate VPN to use the new SSL certificate.
To change the certificate that is used for administrator GUI access in the GUI:
- Go to System > Settings.
- In the Administration Settings section, change HTTPS server certificate as needed
- You can select the new ssl certificate from the drop down and Click Apply. You will be logged out of FortiOS and then you can access the admin GUI with the new certificate.
Ref :
https://www.sectigo.com/resource-library/install-certificates-fortigate-ssl-vpn
Your complete Systems, Networking & Security Guide! 