FortiGate Certificate Import Errors

FortiGate Certificate KB ID 0001791

Problem

A colleague messaged me last week because he could not import a certificate on a FortiGate (that had been exported from a Cisco ASA). He was seeing this error;

Incorrect certificate file format for CA/LOCAL/CRL/REMOTE cert.

FortiGate Certificate Problems

A brief Google led me to ask “Is the FortGate licensed or on a Free/Trial license?” As that can produce this error {apparently}. But for us this was not the problem.

This was happening because the ASA (like Windows) exports its certificates in ‘base64‘ encoding and the FortiGate does not like that, so it throws its toys out of the pram. Firstly ENSURE you exported the certificate as a PKCS12 file like so,

Otherwise the certificate will NOT be exported with its private key, and if you import a certificate into a FortiGate without the private key you will get this error;

Certificate file is duplicated for CA/LOCAL./REMOTE/CRL cert.

We now have a copy of our exported ‘base64 encoded’ certificate. (Note: It has no file extension, don’t panic!) If it was extracted from Windows, it might have a .PFX extension. If yours does, simply use the following commands with that file extension.

And put it on a machine that has OpenSSL installed, or if like me you’re a macOS user copy it there, (OpenSSL is installed by default). Firstly we have to decode the extracted certificate;

[box]

openssl base64 -in /Users/petelong/Dropbox/PNL-EXPORTED-CERT -d -out /Users/petelong/Dropbox/PNL-DECODED-CERT

[/box]

Now we have decoded that certificate, we can extract the private key with the following command.

[box]

openssl pkcs12 -in /Users/petelong/Dropbox/PNL-DECODED-CERT -nocerts -out /Users/petelong/Dropbox/PNL-PRIVATE-KEY.pem

[/box]

Then to extract the identity information use the following command.

[box]

openssl pkcs12 -in /Users/petelong/Dropbox/PNL-DECODED-CERT -clcerts -nokeys -out /Users/petelong/Dropbox/PNL-IDENTITY-CERT.pem

[/box]

Import FortiGate Certificate

Now that you have those TWO files you can import them into your FortiGate, like so.

Related Articles, References, Credits, or External Links

NA

Why Securing Your VPN Solution With Computer Certificates ‘Only’ Is A BAD Idea

KB ID 0001055 

Problem

After a large AnyConnect 4 roll-out, I had the following conversation with a client;

Client: Can we change the way the clients authenticate?
Me: Yes, no problem what do you need?
Client: Well instead of user based certificate authentication, we want to use computer certificates only.
Me: Really why?
Client: So when we roll out a lot of imaged new machines we don’t need to get the users to log onto them and get a user certificate before they can be deployed.
Me: If we can, and user exports the cert onto another device, that device will be able to connect as well.

I then pondered on just how difficult this would be to do. I had a fully working (certificate based) VPN solution running on the bench that I’d used to ‘proof of concept’ the clients requirements. Why don’t I attempt to compromise that for educational purposes 🙂

Disclaimer: As stated, this post is for educational purposes only, not so you can get a free VPN or Wireless connections.

Solution

1. By default computer certs issued by Microsoft Certificate Services have their private key marked as ‘non exportable’ to stop people doing things like this. But just because Windows wont let you do this does not mean you can’t do it. Here I’m using Mimikatz 2.0 to handle that.

[box]privilege::debug[/box]

  [box]crypto::cng[/box]

  [box]crypto::capi[/box]

  [box]crypto::certificates /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE /store:MY /export[/box]

2. All being well you should see something like this.

3. All your computer certs (in this case I only have one so I don’t have to hunt though them) will be in the Mimikatz directory.

4. Import the certificate on a machine that does not have one. (Or an iPad, phone, tablet, MAC, Linux box etc.)

5. Connect without error on the new machine.

The moral of the story is, where possible don’t rely on computer certificates on their own, couple them with user-names/passwords or two factor authentication.

 

Related Articles, References, Credits, or External Links

NA