Logo Wael's Digital Garden

FortiGate - Export certificate with private key

FortiGate - Export certificate with private key#

Problem#

I recently purchased a wildcard certificate based on a CSR generated by FortiGate and uploaded the certificate to it. It is named wildcard-domain-tld. We are moving away from FortiGate and I didn't want to have to pay for it again so I needed the private key.

Solution#

FortiGate stores the private key encrypted with a password, and the password itself is encrypted. In order for us to extract the private key in a usable form we need to perform the following steps:

  1. Get the encrypted private key and the encrypted password.
  2. Decrypt the encrypted password.
  3. Decrypt the private key.
  4. Check the private key against the issued certificate.

Get the encrypted private key and password#

To get the encrypted private key and the encrypted password, login to the FortiGate and open the CLI Console.

config vpn certificate local
edit "wildcard-domain-tld"
sh full-configuration

It should show something like this

config vpn certificate local
    edit "wildcard-domain-tld"
        set password ENC <omitted>
        set comments "foo bar"
        set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
<omitted>
-----END ENCRYPTED PRIVATE KEY-----"
        set certificate "-----BEGIN CERTIFICATE-----
<omitted>
-----END CERTIFICATE-----"
        set range global
        set source user
        set source-ip 0.0.0.0
        set ike-localid-type asn1dn
        set enroll-protocol none
    next
end

Copy the private-key string into a file named encrypted_key, and the certificate string into a file named cert. Copy the password (after the ENC) into the clipboard, it will be needed for the next step

Decrypt the encrypted password#

The encrypted password is impossible to decrypt locally, but we can leverage the Wifi configuration on the FortiGate to decrypt it for us. source (dead link, see it on the internet archive.)

Open the CLI Console on the FortiGate again

config wireless vap
  edit wirelessdummy
    set passphrase ENC <omitted>
    set ssid dummy
  next
end

Now head over to the GUI, the SSIDs section, edit the newly created wirelessdummy and click on the eye icon to show the passphrase and take note of it!

Decrypt the private key#

At this point, you should have an encrypted_key containing the encrypted private key as well as the encryption password. To decrypt it, run the following command:

openssl rsa -in encrypted_key -out key

When prompted, write in the password noted in the previous step.

Check the private key against the issued certificate#

To check the private key against the certificate, we will compute and compare the modulus:

Do the certificate

openssl x509 -noout -modulus -in cert | openssl md5
MD5(stdin)= 52205a934b867d90d9c05ce3700c088b

Do the key

openssl rsa -noout -modulus -in key | openssl md5
MD5(stdin)= 52205a934b867d90d9c05ce3700c088b

If the md5 match, then it's all good.