Procedure for exporting and re-importing a local certificate with a private key

Description

This procedure explains how to export a local certificate from a FortiGate with its private key and re-import it in another FortiGate.

1 - Save the private key from CLI

1.1 - Go to the CLI menu "config vpn certificate local"
1.2 - Type "show full",  and for the given certificate, look for the line starting with < set private-key "-----BEGIN RSA PRIVATE KEY-----" >
1.3 - Copy the text from  -----BEGIN RSA PRIVATE KEY-----  up to -----END RSA PRIVATE KEY-----  and save it to a file.
1.4 - Make sure to exclude any special characters such as " for example.
1.5 - Example is provided at the end of this article


2 - Set a password for the certificate

2.1 - Go to the CLI menu "config vpn certificate local"
2.2 - Edit the given certificate and set a password ( "set password <password>")


3 - Export the certificate from the GUI

3.1 - Go to Global --> Certificates --> Local Certificates
3.2 - Select the certificate to export and click "Download"
3.3 - This will provide you a .cer file, such as for example "Cert_chain1.cer"


4 - Re-import it on another Fortigate from the GUI

4.1 - Go to "Global --> Certificates --> Local Certificates"
4.2 - Click on "Import" --> "Certificate"
4.3 - In the appropriate fields, select the files saved in step1 and step2, and provide the password from step2
4.4 - Verify from the menu "Global --> Certificates --> Local Certificates" that the certificate is present


Example of private key file

-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,21F46CF768868B66 Zw+r9xa1L6r79qbsLnpk7o8Dj99fsdfsdfdYRFvPUhzC0ORelfcPzwrvDoyRQJKJ QSfAIQ5lwaWsJoWw9e8O1nl8asdwesu4ui0u4LA2l7G6iJPyGy+QMZ2srA32p4iv [trunkated] bsLnpk7o8Dj99fjsJywFdYRFvPUhzC0ORelfcPzwrvDoyRQJKJfsf9sfsdfsfsfs QSfAIQ5lwaWsJoWw9e8O1nl8o+EpYDu4ui0u4LA2l7G6iJPyGy+QMZ2srA32p4iv -----END RSA PRIVATE KEY-----