Generating a CSR and Installing an SSL Certificate on a FortiGate Firewall

Generating a CSR and Installing an SSL Certificate on a FortiGate Firewall

Rachel Green

FortiGate firewalls terminate HTTPS in two common places, the SSL Virtual Private Network (VPN) portal and the administrative web interface, and both benefit enormously from a publicly trusted SSL Certificate. Generating the Certificate Signing Request (CSR) on the FortiGate itself is the right approach, because the Private Key is created on the firewall and never has to travel anywhere.

This guide covers current FortiOS releases, where the entire process happens in the web interface.

Prerequisites

You need administrator access to the FortiGate web interface. If the Certificates menu is not visible under System, enable it first under System and Feature Visibility, since some configurations hide it by default.

Decide the hostname before starting, typically something like vpn.yourdomain.com for an SSL VPN deployment. A Wildcard SSL Certificate suits environments where the firewall shares a domain with other services. Explore Our Wildcard SSL Certificates 🔗

Generating the Certificate Signing Request

Navigate to System, then Certificates, and choose Create/Import followed by Generate CSR. Give the entry a recognizable name, enter the Fully Qualified Domain Name (FQDN) you are securing as the domain, and complete the organization details.

Additional hostnames belong in the Subject Alternative Name (SAN) field if the SSL Certificate will cover more than one name. Choose RSA at 2048 bits or stronger, then save. The request appears in the list with a pending status, and its contents can be downloaded for submission.

Submit the request text when placing your order and complete validation as normal. Learn About the Validation Procedure 🔗

Importing the Issued SSL Certificate

Once issued, your SSL Certificate is available in the tracking system. Download it together with the ca-bundle of Intermediate Certificates from the Certificate Authority (CA). View Our Tracking & SSL Management 🔗

Back under System and Certificates, choose Create/Import, then Local Certificate, and upload the issued SSL Certificate file. FortiOS matches it against the pending request automatically, and the status changes from pending to active once the pairing succeeds.

Import the chain separately by choosing Create/Import and then CA Certificate, uploading the ca-bundle. The Intermediate Certificates then appear in their own section of the list, and the firewall serves the complete chain to connecting clients. Learn About Intermediate Certificates 🔗

Assigning the SSL Certificate

For the SSL VPN portal, navigate to VPN, then SSL-VPN Settings, select your new SSL Certificate in the Server Certificate dropdown, and apply. Connecting users immediately stop seeing the warning produced by the factory default Fortinet SSL Certificate.

For the administrative web interface, navigate to System, then Settings, select the SSL Certificate under HTTPS Server Certificate, and apply. Your current administrative session will renegotiate, so a browser reconnect at this point is normal.

Important : The assigned hostname must be how administrators and VPN users actually reach the firewall. An SSL Certificate issued for vpn.yourdomain.com still produces warnings when users connect by IP address, so publish the hostname in your VPN client configuration.

With both assignments in place, the result is ready to confirm.

Verifying the Installation

Connect to the SSL VPN portal by its hostname and confirm the SSL Certificate details in the browser. An external scan then confirms the full chain reaches fresh clients, which catches a skipped CA Certificate import immediately. Trustico® provides free checking tools for this confirmation. Explore Our Trustico® SSL Tools 🔗

Troubleshooting Common Installation Problems

An SSL Certificate stuck on pending after import means the uploaded file does not match the request generated on this firewall. This happens when the file belongs to a different order, or when the request was deleted and recreated after submission. A reissue against the current request resolves it. Learn About Reissuing Your SSL Certificate 🔗

Browser warnings that persist after assignment usually trace to the missing CA Certificate import, leaving the chain incomplete. Import the ca-bundle and reconnect.

If the dropdown does not list the new SSL Certificate, the import landed as the wrong type. Local Certificate is the correct import type for the server SSL Certificate, while CA Certificate is only for the chain.

Professional Installation Assistance

FortiGate installations are friendly when everything matches, but environments mixing SSL VPN, deep inspection profiles, and administrative access can complicate which SSL Certificate belongs where.

Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf. Discover Our Premium Installation Service 🔗

Back to Blog

Most Popular Questions

Frequently asked questions covering SSL Certificate installation on FortiGate firewalls, including Feature Visibility, Certificate Signing Request (CSR) generation, import types, SSL VPN and administrative assignment, hostname alignment, pending status resolution, and the Trustico® Premium Installation service.

Enabling the Certificates Menu Through Feature Visibility

If the Certificates menu is not visible under System, enable it first under System and Feature Visibility. Some FortiGate configurations hide the menu by default.

Generating the Certificate Signing Request (CSR) on the FortiGate

Navigate to System and Certificates, choose Create/Import followed by Generate CSR, enter the Fully Qualified Domain Name (FQDN) being secured, and place additional hostnames in the Subject Alternative Name (SAN) field. Generating the request on the FortiGate itself is the right approach, because the Private Key is created on the firewall and never has to travel anywhere.

Local Certificate Versus CA Certificate Import Types

The issued SSL Certificate imports as a Local Certificate, and FortiOS matches it against the pending request automatically, changing the status from pending to active. The ca-bundle imports separately as a CA Certificate, and an SSL Certificate missing from the assignment dropdown usually landed under the wrong import type.

Assigning the SSL Certificate to SSL VPN and Admin Access

For the SSL VPN portal, select the new SSL Certificate in the Server Certificate dropdown under SSL-VPN Settings. For the administrative web interface, select it under HTTPS Server Certificate in the System Settings, noting that the current administrative session will renegotiate, so a browser reconnect at that point is normal.

Connecting by Hostname Instead of IP Address

The assigned hostname must be how administrators and VPN users actually reach the firewall. An SSL Certificate issued for a hostname still produces warnings when users connect by IP address, so publish the hostname in the VPN client configuration.

Resolving an SSL Certificate Stuck on Pending

A stuck pending status after import means the uploaded file does not match the request generated on this firewall, which happens when the file belongs to a different order or when the request was deleted and recreated after submission. A reissue against the current request resolves it.

Premium Installation Assistance for FortiGate Environments

Environments mixing SSL VPN, deep inspection profiles, and administrative access can complicate which SSL Certificate belongs where. Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf.

Stay Updated - Our RSS Feed

There's never a reason to miss a post! Subscribe to our Atom/RSS feed and get instant notifications when we publish new articles about SSL Certificates, security updates, and news. Use your favorite RSS reader or news aggregator.

Subscribe via RSS/Atom