In this tutorial, you will learn how to install an SSL certificate on FortiGate (FortiOS), importing your certificate and intermediate (CA) chain in the GUI, then applying it to the admin login page and/or to your SSL-VPN.
Generate a CSR code on FortiGate
If you have already applied for your SSL certificate and received the SSL files, skip the CSR section and jump straight to the installation steps.
CSR stands for Certificate Signing Request, a block of encoded text containing your contact details. The Certificate Authority (CA) uses the CSR to verify your credentials before approving your SSL request. Generating the CSR also creates your private key; together the CSR and private key form the SSL certificate key pair. You have two options:
- Use our CSR Generator to create the CSR automatically.
- Follow our step-by-step tutorial on how to create the CSR on FortiGate.
Submit the CSR to the Certificate Authority during your order. After the CA validates it and issues your certificate, continue with the installation below.
Important: if you generated the CSR on the FortiGate itself, the private key already lives on the appliance. Import the signed certificate back onto the same FortiGate so it can pair with that key.
Install an SSL certificate on FortiGate
After the CA issues your certificate, download the ZIP archive and extract it on your computer. You should have your primary (server) certificate and one or more intermediate (CA) certificates. The screens below match FortiOS 7.4 and 7.6; older 7.0/6.x builds use slightly different labels, noted where relevant.
Step 1: Prepare your certificate files
Open your primary and intermediate certificates in a plain-text editor (Notepad on Windows, or any editor that does not add formatting). Save each one with a .crt (or .cer) extension, keeping the full encoded block including the header and footer lines:
-----BEGIN CERTIFICATE-----
MIIF...your encoded certificate...AB==
-----END CERTIFICATE-----Each BEGIN CERTIFICATE / END CERTIFICATE marker line uses exactly five hyphens on each side, with no spaces and no extra characters. A mangled header is the most common reason an import fails.
Step 2: Make the Certificates menu visible (if needed)
On many FortiGate models the certificate management screens are hidden by default. If you do not see System > Certificates, log in to the FortiGate, go to System > Feature Visibility, enable Certificates under the additional features, and click Apply. The Certificates menu now appears under System.
Step 3: Import your primary (local) certificate
Log in to your FortiGate and go to System > Certificates. Click Create/Import > Certificate, then choose Import Certificate and set the type to Local Certificate. Click Upload, select your .crt server certificate file, then click Create (on 7.0 and earlier this button is labelled OK).
The status of the certificate should change from PENDING to OK, which confirms it has been matched with the private key on the appliance.
Step 4: Import the intermediate (CA) certificate
Next, install the chain so clients trust your certificate. Still under System > Certificates, click Create/Import > CA Certificate, select File, upload your intermediate .crt file, and confirm. If your CA supplied more than one intermediate, repeat this for each. The imported authorities appear in the External CA Certificates list (named CA_Cert_1, CA_Cert_2, and so on).
Step 5: Apply the certificate where you need it
Importing the certificate does not activate it on its own; you have to assign it to a service. Choose whichever applies to you:
For the FortiGate admin login page (HTTPS management): go to System > Settings, find Administration Settings, set HTTPS server certificate to the certificate you just imported, and click Apply. Your browser session may drop briefly while the appliance switches certificates.
For SSL-VPN remote access: go to VPN > SSL-VPN Settings, and in the Connection Settings pane open the Server Certificate drop-down, select the certificate you imported, and click Apply.
Note: on FortiOS 7.4 and later the VPN > SSL-VPN Settings menu is hidden by default. If you do not see it, enable it under System > Feature Visibility (turn on SSL-VPN), then return to this step.
That’s it. Your SSL certificate is now installed and active on FortiGate.
Optional: import the certificate from the CLI
If you prefer the command line (or are scripting a deployment), you can import the certificate from a TFTP server. When you generated the CSR on the FortiGate, import the signed certificate with the certificate type; no private key or password is needed because the key is already on the appliance:
execute vpn certificate local import tftp yourdomain.crt 192.0.2.10 certificateIf your certificate and private key are bundled in a PKCS#12 file (generated without the FortiGate’s CSR), import it as a .p12 and supply the export password:
execute vpn certificate local import tftp yourdomain.p12 192.0.2.10 p12 your_pkcs12_passwordReplace 192.0.2.10 with your TFTP server’s IP address and the file names with your own. After importing, assign the certificate to the GUI or SSL-VPN as shown in Step 5.
Test your SSL installation
After installing the certificate on FortiGate, run an SSL scan to confirm the certificate and chain are served correctly and to catch any errors.
You can also confirm the certificate is present directly on the appliance from the CLI:
get vpn certificate local detailsThis lists each installed certificate with its name, issuer, and validity dates, so you can verify the right one is in place and not expired.
Where to buy the best SSL certificate for FortiGate?
At SSL Dragon, we offer some of the lowest prices on the market across our entire range of SSL products, and we’ve partnered with the best SSL brands in the industry for strong security and dedicated support. All our SSL certificates are compatible with FortiGate appliances, whether you’re securing the admin GUI, an SSL-VPN portal, or a public-facing service behind the firewall.
You can find the best SSL certificate for your project and budget with the help of our exclusive SSL tools. The SSL Wizard recommends the best certificates for your needs.
Frequently Asked Questions
In the GUI, go to System > Certificates, select the certificate, and click View Details to see its issuer and validity dates. From the CLI, run get vpn certificate local details to list every installed certificate. To troubleshoot a server certificate during a live connection, enable debugging with the diagnose command (diagnose debug application fnbamd -1 followed by diagnose debug enable) and access the server. An auth_cert_succeed result means the certificate validated successfully.
Go to System > Certificates and select the certificate you want to export. Click Download in the toolbar (or right-click the entry and choose Download) and save the file to your computer. Note that FortiGate exports the public certificate only; it never exports the private key.
All certificates live under System > Certificates, grouped into Local Certificates (your server certificates and their keys), Local CA Certificates and External CA Certificates (the trusted chain), and Remote certificates. If the menu is missing, enable it under System > Feature Visibility. To inspect one, select it and click View Details.
FortiGate SSL-VPN provides secure, encrypted remote access to internal resources over HTTPS, without requiring a dedicated VPN client on every device, making it ideal for remote workers and contractors. The certificate you assign under VPN > SSL-VPN Settings > Server Certificate is what users see when they connect to the VPN portal, so a publicly trusted SSL certificate removes the browser warning that the default self-signed certificate triggers.
The most common cause is a missing intermediate (CA) certificate; the server certificate alone is not enough. Make sure you completed Step 4 and imported the full chain, then re-assign the certificate in Step 5. Also confirm you are reaching the FortiGate by the exact hostname listed in the certificate, since a mismatch between the URL and the certificate’s common name or SAN also triggers a warning.
Bottom line
Installing an SSL certificate on FortiGate comes down to exposing the Certificates menu if it’s hidden, importing your server certificate as a Local Certificate and the chain as a CA Certificate under System > Certificates, then assigning it to the admin GUI (System > Settings) and/or your SSL-VPN (VPN > SSL-VPN Settings).
Need a certificate first? Browse our SSL certificates.
Frequently Asked Questions
You can check your SSL certificate via the diagnose command. Once you enable this debug command, verify the certificate on FortiGate by accessing the server. If you get the “auth_cert_succeed” result, your SSL certificate is valid.
Copy Link
Navigate to System Settings > Certificates > Local Certificates. Select the certificate that you want to download. Click Download in the toolbar or right-click, select Download, and save the certificate to the computer.
Copy Link
Navigate to System Settings > Certificates > Local Certificates. Select the certificates you want to inspect, then click View Certificate Detail in the toolbar or right-click the menu.
Copy Link
SSL or Client VPNs enable VPN access to users without an enterprise firewall, such as remote workers and virtual assistants.
Copy Link
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10
