How to Install an ACME SSL Certificate on FortiGate?

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)
Loading...
SSL Installation on Fortigate

FortiGate firewalls support the automatic installation of SSL certificates to facilitate secure remote access, manage Trusted HTTPS connections, and maintain uninterrupted SSL VPN connectivity.

Within this article, you will first learn about using native or alternative methods for sending ACME SSL Certificate requests to your FortiGate Firewall(s) via the use of the ACME Protocol.

You will then receive a complete overview of each process needed to create an ACME SSL Certificate for your FortiGate(s), using both native and alternative issuance methods.

Prerequisites

Before you begin, ensure you have:

  • FortiOS 7.6.0 or newer (required for EAB fields)
  • Administrator access to the FortiGate CLI
  • ACME directory URL from your certificate provider
  • External Account Binding credentials (KID + HMAC key)
  • A domain name pointing to your FortiGate’s public IP
  • Port 80 open for HTTP-01 validation
  • Outbound HTTPS access from FortiGate to the CA endpoint
  • Accurate system time (NTP configured)

Method 1: Native ACME Integration on FortiGate

With the native integration of ACME, you can automate the issuance and renewal of certificates without needing an external client, and you can complete both tasks directly on your FortiGate device.

This allows better management and control over your certificates for the entire duration of the certificate’s life cycle since the FortiGate can connect directly to the ACME server.

Step 1: Verify FortiOS Version

Log in to the CLI and check your firmware:

get system status

The prior versions do not support the acme-eab-key-id and acme-eab-key-hmac parameters; they are used in conjunction with each other.

Step 2: Create an ACME Certificate Object

To create a local configured certificate to enable ACME enrollment:

config vpn certificate local
            edit "acme-vpn-cert"
                        set enrollment acme
                        set acme-ca-url "https://acme.yourca.com/v2/acme"
                        set acme-eab-key-id "YOUR_EAB_KID"
                        set acme-eab-key-hmac "YOUR_EAB_HMAC_KEY"
                        set acme-email "[email protected]"
                        set acme-domain "vpn.example.com"
                        set acme-auth-url "http://vpn.example.com/.well-known/acme-challenge"
                        set auto-regenerate enable
                        set auto-regenerate-days 30
            next
end

The settings for this step mean that FortiGate will automatically find and update ACME certificates using external account binding for authentication.

Step 3: Ensure HTTP-01 Validation Works

To complete the ACME HTTP-01 validation process, you will need:

  • Port 80 is accessible over the Internet
  • The address http://vpn.example.com/.well-known/acme-challenge/ is accessible

If HTTPS redirection is enabled, create an exception so validation traffic remains on HTTP.

If using virtual IP (VIP) configuration:

config firewall vip
            edit "acme-http"
                        set extintf "wan1"
                        set extip <public-ip>
                        set mappedip "192.168.1.99"
                        set extport 80
                        set mappedport 80
                        set protocol tcp
            next
end

Replace placeholder IP addresses with your actual configuration.

Step 4: Trigger Certificate Enrollment

Start the certificate request:

execute vpn certificate local generate "acme-vpn-cert"

FortiGate will:

  • Contact the ACME server
  • Complete domain validation
  • Retrieve the signed certificate

Step 5: Verify Certificate Status

Check the certificate:

get vpn certificate local

Look for:

  • Status: valid
  • Issuer: Your CA Name

If the status is pending or invalid, verify:

  • DNS records
  • Port 80 accessibility
  • EAB credentials
  • Outbound connectivity to the CA

Step 6: Assign the Certificate

Apply the certificate to SSL VPN or HTTPS services:

config vpn ssl settings
            set servercert "acme-vpn-cert"
            end

Or via GUI:

VPN → SSL-VPN Settings → Server Certificate → Select acme-vpn-cert

Once applied, your FortiGate will present the trusted certificate to users.

Step 7: Automatic Renewal

Your FortiGate will automatically renew any certificate you issue according to the policy on how many days prior to expiration you set for auto-regeneration. To test the renewal manually, use the command:

execute vpn certificate local renew "acme-vpn-cert"

If there are problems renewing your certificate, check local firewall rules, DNS Resolution, and the CA Rate Limit.

Method 2 – External Issuance via ACME.sh

If your ACME endpoint does not directly integrate with your FortiGate device, you will need to use acme.sh to create your certificate outside of FortiGate, and then import it into the FortiGate firewall.

By doing this, you have more control over where certificates will be generated while having the ability to perform certificate issuance using another operating system (Linux, macOS, or BSD).

At the same time, you benefit from being able to automatically issue the certificates via ACME automation, as well as from utilizing External Account Binding (EAB).

Step 1: Install ACME.sh

To install ACME.sh on a machine with a network connection (Linux/macOS), run the Installation script. The script will download ACME.sh and configure the necessary components for you to use your Client to communicate with the ACME Directory at your Certificate Authority.

On a Linux or macOS system:

curl https://get.acme.sh | sh
source ~/.bashrc

Installation must occur from a separate server, as FortiGate does not support executing custom shell scripts from that device.

Step 2: Register Account with EAB

Once completed, the next step is to register an account with your Certificate Authority for External Account Binding.

To do this, you will need to provide the following information: URL to the ACME Directory, Key ID (KID), and HMAC key.

acme.sh --register-account \
            --server https://acme.yourca.com/v2/acme \
            --eab-kid "YOUR_EAB_KID" \
            --eab-hmac-key "YOUR_EAB_HMAC_KEY" \
            -m [email protected]

Once your account has been successfully registered, your Client will be authenticated and ready to request certificates for all valid domains with your Certificate Authority’s approval.

Step 3: Issue the Certificate

Once you have registered your account, you will then be able to start the process of getting a certificate by giving us the domain name and the way you want to validate it (usually HTTP-01 with a web root path).

acme.sh --issue \
            -d vpn.example.com \
            --webroot /var/www/html \
            --server https://acme.yourca.com/v2/acme \
            --eab-kid "YOUR_EAB_KID" \
            --eab-hmac-key "YOUR_EAB_HMAC_KEY"

Certificate files will be stored under:

~/.acme.sh/vpn.example.com/

ACME.sh will reach out to the Certificate Authority (CA), validate your domain, and download the certificate, full chain, and private key once completed. If successful, the certificate files will be saved on your device, ready to be deployed onto your FortiGate.

Step 4: Import into FortiGate

Using either the GUI or the CLI, you can import the certificate files into FortiGate. You must upload both the private key and the complete certificate chain to allow the firewall to showcase the trusted certificate to its clients correctly.

Via GUI:

System → Certificates → Import → Local Certificate

Or via CLI:

config vpn certificate local
            edit "acme-vpn-cert"
                        set private-key "-----BEGIN PRIVATE KEY-----..."
                        set certificate "-----BEGIN CERTIFICATE-----..."
            next
end

Protect and transfer your private key securely while importing it so that you minimize the risk of exposure or compromise throughout the entire process.

Step 5: Reassign and Automate Renewal

When re-generating an imported cert, you will likely need to re-import it to your system. This process can be automated by creating recurring tasks and/or executing renewals via secure FTP (SCP or API).

Example:

scp fullchain.cer admin@fortigate:/root/
scp vpn.example.com.key admin@fortigate:/root/

Then reload the certificate:

execute vpn certificate local import "acme-vpn-cert"

Conclusion

Automating SSL deployment using FortiGate can be made feasible with the correct certificate authority supporting your project.

CheapSSLweb has developed an affordable, reliable, and straightforward approach to providing SSL certificates that support ACME-ready deployments across multiple firewalls, servers, and cloud computing platforms.

The installation of your SSL will be simplified, the renewal of your certificates will be seamless, and securing your network will not cost you a fortune. Start using CheapSSLweb now to manage your certificates with ease and assurance.

Secure your Site Now

Enable HTTPs on your Website by Purchasing SSL, Generate CSR and Install on your Web Server.

Starts at Just $3.99/Yr
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast having 7+ years of experience and knowledge about Encryption, Digital Certificates and Online Security, She helps online users to stay safe and protect their online presence. Explore SSL Errors, Installation Guide and Security Tutorials for Safe Browsing and Web Security Experience.