This guide shows how to install and automate SSL certificates on FortiGate firewalls using the ACME protocol with External Account Binding (EAB), the standard method commercial certificate authorities use for secure automation.

You’ll learn two ways to deploy:
- Native FortiGate ACME integration with EAB credentials
- External issuance with ACME.sh, followed by import into FortiGate
Both methods are compatible with commercial ACME endpoints that issue certificates through KID + HMAC authentication.
Before You Start
You’ll need:
- FortiGate 7.6.0 or newer (earlier versions don’t support EAB)
- Root or admin access to the FortiGate CLI
- ACME directory URL from your certificate provider
- EAB credentials (Key ID + HMAC Key)
- A domain name with valid A/AAAA DNS records pointing to your FortiGate’s public IP
- Port 80 reachable from the internet for HTTP-01 validation
Step 1: Check your firmware version
Use the Command Line Interface to check your FortiOS version:
get system status
Ensure FortiOS 7.6.0 or newer appears. If not, upgrade first. Older versions don’t include acme-eab-key-id and acme-eab-key-hmac fields.
Step 2: Create a local certificate object for ACME
Run the command below:
config vpn certificate local
edit "acme-vpn-cert"
set enrollment acme
set acme-ca-url "https://acme.yourca.com/v2/acme"
set acme-eab-key-id "YOUR_EAB_KID"
set acme-eab-key-hmac "YOUR_EAB_HMAC_KEY"
set acme-email "[email protected]"
set acme-domain "vpn.example.com"
set acme-auth-url "http://vpn.example.com/.well-known/acme-challenge"
set auto-regenerate-days 30
set auto-regenerate enable
next
end
This command creates a new local certificate object named acme-vpn-cert and tells FortiGate to automatically request and renew it from your commercial CA using the ACME protocol with External Account Binding.
Key parts explained:
set enrollment acme: tells FortiGate this certificate will be managed through ACME, not manually imported.set acme-ca-url: the ACME directory endpoint of your certificate authority.set acme-eab-key-id/set acme-eab-key-hmac: your EAB credentials (KID and HMAC) that authorize your account with the CA.set acme-email: used for renewal notifications and CA contact.set acme-domain: the domain FortiGate will validate and secure.set acme-auth-url: the HTTP location where the CA places and verifies the ACME challenge.set auto-regenerateandauto-regenerate-days: enable automatic renewal before expiry.
Step 3: Verify the validation path
Your FortiGate must respond to http://vpn.example.com/.well-known/acme-challenge/.
If you have HTTPS redirection enabled, add a bypass rule so the challenge path remains on plain HTTP during validation.
Here’s how to do it for virtual servers:
config firewall vip
edit "acme-http"
set extintf "wan1"
set extip <your-public-ip>
set mappedip "192.168.1.99"
set extport 80
set mappedport 80
set protocol tcp
next
end
Replace <your-public-ip> and 192.168.1.99 with your actual external and internal IP addresses. These values are placeholders used for example only.
Step 4: Trigger the initial request
Now that FortiGate knows how to reach your CA and where to place validation files, you can start the actual certificate enrollment process:
execute vpn certificate local generate "acme-vpn-cert"
This command tells FortiGate to contact the CA, perform domain validation, and retrieve the signed certificate automatically.
Step 5: Check the certificate status
To check your certificate status run the following command:
get vpn certificate local
You should see:
Status: valid
Issuer: Your CA Name
If the status remains pending or invalid, recheck DNS and port 80 reachability.
Step 6: Apply the certificate
Use the GUI or CLI to assign it to SSL VPN, HTTPS management, or proxy services:
config vpn ssl settings
set servercert "acme-vpn-cert"
end
Here’s how to do it via GUI:
Go to VPN > SSL-VPN Settings > Server Certificate > Select acme-vpn-cert.
Step7: Troubleshooting and renewals
If the certificate doesn’t issue right away, the most common reasons are:
- The ACME server couldn’t reach your validation URL (open port 80).
- Your KID or HMAC key doesn’t match what the CA expects.
- You hit a temporary replay or rate limit; just retry after a few minutes.
Once the certificate is valid, FortiGate will handle renewals automatically based on your auto-regenerate-days setting. You can test renewal anytime with:
execute vpn certificate local renew "acme-vpn-cert"
Fallback: External Issuance (ACME.sh) and Import to FortiGate
If your CA’s ACME endpoint doesn’t work directly with FortiGate, you can issue the certificate externally with ACME.sh and import it. Here’s how to do it:
Step 1: Install ACME.sh
Run these commands on any Linux, macOS, or BSD system that has internet access. You’re not running this on the FortiGate itself (FortiGate doesn’t support custom shell scripts).
curl https://get.acme.sh | sh
source ~/.bashrc
This installs the acme.sh client in your home directory and loads it into your shell. Replace the placeholder with your actual CA and details.
Step 2: Register your ACME account with EAB
acme.sh --register-account \
--server https://acme.yourca.com/v2/acme \
--eab-kid "YOUR_EAB_KID" \
--eab-hmac-key "YOUR_EAB_HMAC_KEY" \
-m [email protected]
Step 3: Issue the certificate
acme.sh --issue \
-d vpn.example.com \
--webroot /var/www/html \
--server https://acme.yourca.com/v2/acme \
--eab-kid "YOUR_EAB_KID" \
--eab-hmac-key "YOUR_EAB_HMAC_KEY"
Step 4: Locate the certificate files
After a successful issuance, your certificate files are stored in your home directory under ~/.acme.sh/vpn.example.com/
Inside that folder, you’ll find:
- fullchain.cer – the complete certificate chain
- vpn.example.com.key – your private key
- ca.cer – the intermediate CA certificate
You can open them with a text editor or verify details via OpenSSL:
openssl x509 -in fullchain.cer -noout -dates -issuer -subject
Step 5: Import to FortiGate
You can import the cerrtificate via GUI:
Go to: System > Certificates > Import > Local Certificate and
upload the certificate and private key.
Or you can use the CLI:
config vpn certificate local
edit "acme-vpn-cert"
set private-key "-----BEGIN PRIVATE KEY-----..."
set certificate "-----BEGIN CERTIFICATE-----..."
next
end
Step 6: Assign & renew
Once the certificate is renewed, make sure to re-assign it to your SSL VPN or FortiGate web interface (if it doesn’t auto-apply). If you’re using an external ACME client on a different server, set up a scheduled task (like a cron job) to automatically copy the new certificate files over to the FortiGate, using SCP or an API call.
Example:
scp ~/.acme.sh/vpn.example.com/fullchain.cer admin@fortigate:/root/
scp ~/.acme.sh/vpn.example.com/vpn.example.com.key admin@fortigate:/root/
Then reload the cert:
execute vpn certificate local import "acme-vpn-cert"
Common Questions
If you’re setting up ACME with a commercial CA for the first time, a few questions tend to come up. Here are quick answers to the ones we see most often:
Can I use this setup with any commercial CA?
Yes, as long as your provider supports ACME + External Account Binding (EAB). Major CAs like Sectigo and DigiCert already provide ACME directory URLs and EAB credentials.
Do I need to open both HTTP and HTTPS ports for validation?
Only port 80 (HTTP) is required for ACME’s HTTP-01 validation. Keep HTTPS (443) open for normal traffic, but don’t redirect validation requests from HTTP to HTTPS.
What happens if my certificate fails to renew automatically?
You can trigger manual renewal at any time with:
execute vpn certificate local renew "acme-vpn-cert"
If it still fails, recheck your EAB credentials, domain DNS, and that the firewall still allows outbound access to your CA’s ACME endpoint.
Can I use the same EAB credentials on multiple FortiGates?
That depends on your CA. Some allow reusing one account for multiple devices, others issue unique credentials per order or domain. Always follow your CA’s policy to avoid rate limits or account conflicts.
Final Words
You now know how to install an ACME SSL certificate onFortiGate, either through its native EAB integration or external issuance via ACME.sh.
Both methods meet enterprise security standards and support fully automated renewals with commercial certificate authorities.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

