FortiGate: Use Lets Encrypt SSL certificates with a FortiGate

Before you continue please consider clicking on one of the horrible ads. I know they are a pain but they help me pay for the hosting of this site. It owes me a lot of money. Sob story over.

You may not realise but it is possible to install an SSL certificate on your FortiGate using something called ACME.

You need the following things for this to work:

  • This feature is only available in FortiGate V7 onwards.
  • You need to have a public IP address assigned to the device
  • You need a public domain with an 'A' record that resolved to said IP address.

You also need to be able to see the certificates option on your device. If certificates isn't visible you will need to make it so in 'Feature visibility'.

System > Feature Visibility and enable Certificates.

Click on certificates.

Now go to 'Create/Import > Certificate'

And you will be presented with the new Certificate wizard, and should ne able to see the 'Use Let' s Encrypt' option.

Click on the 'Use Let' s Encrypt' option  and fill in the blanks.

The 'Certificate Name' is just a the name you can use to reference this SSL by in future. It is not related to the SAN of the certificate. The SAN will be the domain and only the domain, You can't use wildcards or alternate SANs for this.

The email address needs to be valid.

Now you will be asked to define an interface that can communicate with 'Let's Encrypt'. For me, as I'm writing this from my home its my Vodafone broadband.

Once you have selected the correct interface and clicked OK it will start doing its thing

And as you can see it succeeded

Providing the prerequisites we mentioned earlier remain the same this certificate will auto renew every 30 days.