bg-tutorials

How to Install an ACME SSL Certificate on FortiGate

This guide shows how to install and automate SSL certificates on FortiGate firewalls using the ACME protocol with External Account Binding (EAB), the standard method commercial certificate authorities use for secure automation.

Frotigate ACME SSL

You’ll learn two ways to deploy:

  1. Native FortiGate ACME integration with EAB credentials
  2. External issuance with ACME.sh, followed by import into FortiGate

Both methods are compatible with commercial ACME endpoints that issue certificates through KID + HMAC authentication.


Before You Start

You’ll need:

  • FortiGate 7.6.0 or newer (earlier versions don’t support EAB)
  • Root or admin access to the FortiGate CLI
  • ACME directory URL from your certificate provider
  • EAB credentials (Key ID + HMAC Key)
  • A domain name with valid A/AAAA DNS records pointing to your FortiGate’s public IP
  • Port 80 reachable from the internet for HTTP-01 validation

Step 1: Check your firmware version

Use the Command Line Interface to check your FortiOS version:

get system status

Ensure FortiOS 7.6.0 or newer appears. If not, upgrade first. Older versions don’t include acme-eab-key-id and acme-eab-key-hmac fields.


Step 2: Create a local certificate object for ACME

Run the command below:

config vpn certificate local
    edit "acme-vpn-cert"
        set enrollment acme
        set acme-ca-url "https://acme.yourca.com/v2/acme"
        set acme-eab-key-id "YOUR_EAB_KID"
        set acme-eab-key-hmac "YOUR_EAB_HMAC_KEY"
        set acme-email "[email protected]"
        set acme-domain "vpn.example.com"
        set acme-auth-url "http://vpn.example.com/.well-known/acme-challenge"
        set auto-regenerate-days 30
        set auto-regenerate enable
    next
end

This command creates a new local certificate object named acme-vpn-cert and tells FortiGate to automatically request and renew it from your commercial CA using the ACME protocol with External Account Binding.

Key parts explained:

  • set enrollment acme: tells FortiGate this certificate will be managed through ACME, not manually imported.
  • set acme-ca-url: the ACME directory endpoint of your certificate authority.
  • set acme-eab-key-id / set acme-eab-key-hmac: your EAB credentials (KID and HMAC) that authorize your account with the CA.
  • set acme-email: used for renewal notifications and CA contact.
  • set acme-domain: the domain FortiGate will validate and secure.
  • set acme-auth-url: the HTTP location where the CA places and verifies the ACME challenge.
  • set auto-regenerate and auto-regenerate-days: enable automatic renewal before expiry.

Step 3: Verify the validation path

Your FortiGate must respond to http://vpn.example.com/.well-known/acme-challenge/.

If you have HTTPS redirection enabled, add a bypass rule so the challenge path remains on plain HTTP during validation.

Here’s how to do it for virtual servers:

config firewall vip
    edit "acme-http"
        set extintf "wan1"
        set extip <your-public-ip>
        set mappedip "192.168.1.99"
        set extport 80
        set mappedport 80
        set protocol tcp
    next
end

Replace <your-public-ip> and 192.168.1.99 with your actual external and internal IP addresses. These values are placeholders used for example only.


Step 4: Trigger the initial request

Now that FortiGate knows how to reach your CA and where to place validation files, you can start the actual certificate enrollment process:

execute vpn certificate local generate "acme-vpn-cert"

This command tells FortiGate to contact the CA, perform domain validation, and retrieve the signed certificate automatically.


Step 5: Check the certificate status

To check your certificate status run the following command:

get vpn certificate local

You should see:

Status: valid
Issuer: Your CA Name

If the status remains pending or invalid, recheck DNS and port 80 reachability.


Step 6: Apply the certificate

Use the GUI or CLI to assign it to SSL VPN, HTTPS management, or proxy services:

config vpn ssl settings
    set servercert "acme-vpn-cert"
end

Here’s how to do it via GUI:

Go to VPN > SSL-VPN Settings > Server Certificate > Select acme-vpn-cert.


Step7: Troubleshooting and renewals

If the certificate doesn’t issue right away, the most common reasons are:

  • The ACME server couldn’t reach your validation URL (open port 80).
  • Your KID or HMAC key doesn’t match what the CA expects.
  • You hit a temporary replay or rate limit; just retry after a few minutes.

Once the certificate is valid, FortiGate will handle renewals automatically based on your auto-regenerate-days setting. You can test renewal anytime with:

execute vpn certificate local renew "acme-vpn-cert"

Fallback: External Issuance (ACME.sh) and Import to FortiGate

If your CA’s ACME endpoint doesn’t work directly with FortiGate, you can issue the certificate externally with ACME.sh and import it. Here’s how to do it:

Step 1: Install ACME.sh

Run these commands on any Linux, macOS, or BSD system that has internet access. You’re not running this on the FortiGate itself (FortiGate doesn’t support custom shell scripts).

curl https://get.acme.sh | sh
source ~/.bashrc

This installs the acme.sh client in your home directory and loads it into your shell. Replace the placeholder with your actual CA and details.

Step 2: Register your ACME account with EAB

acme.sh --register-account \
  --server https://acme.yourca.com/v2/acme \
  --eab-kid "YOUR_EAB_KID" \
  --eab-hmac-key "YOUR_EAB_HMAC_KEY" \
  -m [email protected]

Step 3: Issue the certificate

acme.sh --issue \
  -d vpn.example.com \
  --webroot /var/www/html \
  --server https://acme.yourca.com/v2/acme \
  --eab-kid "YOUR_EAB_KID" \
  --eab-hmac-key "YOUR_EAB_HMAC_KEY"

Step 4: Locate the certificate files

After a successful issuance, your certificate files are stored in your home directory under ~/.acme.sh/vpn.example.com/

Inside that folder, you’ll find:

  • fullchain.cer – the complete certificate chain
  • vpn.example.com.key – your private key
  • ca.cer – the intermediate CA certificate

You can open them with a text editor or verify details via OpenSSL:

openssl x509 -in fullchain.cer -noout -dates -issuer -subject

Step 5: Import to FortiGate

You can import the cerrtificate via GUI:

Go to: System > Certificates > Import > Local Certificate and
upload the certificate and private key.

Or you can use the CLI:

config vpn certificate local
    edit "acme-vpn-cert"
        set private-key "-----BEGIN PRIVATE KEY-----..."
        set certificate "-----BEGIN CERTIFICATE-----..."
    next
end

Step 6: Assign & renew

Once the certificate is renewed, make sure to re-assign it to your SSL VPN or FortiGate web interface (if it doesn’t auto-apply). If you’re using an external ACME client on a different server, set up a scheduled task (like a cron job) to automatically copy the new certificate files over to the FortiGate, using SCP or an API call.

Example:

scp ~/.acme.sh/vpn.example.com/fullchain.cer admin@fortigate:/root/
scp ~/.acme.sh/vpn.example.com/vpn.example.com.key admin@fortigate:/root/

Then reload the cert:

execute vpn certificate local import "acme-vpn-cert"

Common Questions

If you’re setting up ACME with a commercial CA for the first time, a few questions tend to come up. Here are quick answers to the ones we see most often:

Can I use this setup with any commercial CA?

Yes, as long as your provider supports ACME + External Account Binding (EAB). Major CAs like Sectigo and DigiCert already provide ACME directory URLs and EAB credentials.

Do I need to open both HTTP and HTTPS ports for validation?

Only port 80 (HTTP) is required for ACME’s HTTP-01 validation. Keep HTTPS (443) open for normal traffic, but don’t redirect validation requests from HTTP to HTTPS.

What happens if my certificate fails to renew automatically?

You can trigger manual renewal at any time with:

execute vpn certificate local renew "acme-vpn-cert"

If it still fails, recheck your EAB credentials, domain DNS, and that the firewall still allows outbound access to your CA’s ACME endpoint.

Can I use the same EAB credentials on multiple FortiGates?

That depends on your CA. Some allow reusing one account for multiple devices, others issue unique credentials per order or domain. Always follow your CA’s policy to avoid rate limits or account conflicts.


Final Words

You now know how to install an ACME SSL certificate onFortiGate, either through its native EAB integration or external issuance via ACME.sh.

Both methods meet enterprise security standards and support fully automated renewals with commercial certificate authorities.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.