Installing an SSL certificate in FortiGate takes four steps: import the certificate and private key files via System > Certificates, assign the certificate to a virtual server, optionally configure SSL offloading, then verify the installation with a browser or SSL testing tool. The process applies to FortiGate next-generation firewalls running FortiOS and typically takes under 15 minutes for a network administrator with the required files ready. This guide covers every step, including renewal, monitoring, backup, troubleshooting, and best practices.
FortiGate SSL certificate installation is a foundational security task - it applies the cryptographic identity that allows the firewall to authenticate itself and encrypt traffic crossing your network perimeter.
What Do You Need Before Installing an SSL Certificate on FortiGate?
FortiGate SSL certificate prerequisites are straightforward, but missing any one of them will stop the installation mid-process.
You need:
- A valid SSL certificate file (.crt or .cer) issued by a trusted Certificate Authority (CA)
- The matching private key file (.key or .pem) - this must pair exactly with the certificate
- Intermediate CA certificate file(s) or a full chain file (.crt or .pem) if your CA requires it
- Administrator access to the FortiGate web-based management interface or CLI
FortiGate supports Domain Validated (DV), Organization Validated (OV), Extended Validation (EV), Wildcard, and Multi-Domain (SAN/UCC) certificates. The right choice depends on your organization's trust requirements and the scope of domains you need to cover.
Why this matters now: According to WatchGuard's H2 2025 Internet Security Report, 96% of blocked malware in 2025 was delivered over TLS - making proper certificate management on your firewall a front-line defense requirement, not just a compliance checkbox.
How to Import an SSL Certificate into FortiGate (Step 1)
Import SSL certificate FortiGate GUI - this is where the installation begins. Log in to the FortiGate web-based management interface with administrator credentials.
Follow these steps:
- Navigate to System > Certificates > Import > Local Certificate
- In the Certificate Name field, enter a clear, descriptive name for this certificate
- Set Certificate Source to "Upload" or "File"
- Click Upload next to Certificate File and select your .crt or .cer file
- Click Upload next to Key File and select your .key or .pem private key file
- If the private key is password-protected, enter the password in the Password field
- If you have an intermediate CA certificate, upload it in the Certificate Intermediate CA Certificate section
- Click OK to complete the import
FortiGate will validate the key pair on import. If the certificate and private key do not match, the import will fail - double-check that both files came from the same CSR generation process.
How to Assign an SSL Certificate to a Virtual Server in FortiGate (Step 2)
Assign SSL certificate to virtual server FortiGate - importing the certificate alone does not apply it to any traffic. You must explicitly link it to a virtual server.
- Navigate to Policy & Objects > Virtual Servers
- Locate the target virtual server or create a new one
- Open the virtual server settings and scroll to the SSL section
- Enable SSL Mode and select the appropriate mode - use "Full" for end-to-end SSL encryption
- In the Certificate dropdown, select the certificate you imported in Step 1
- Optionally configure SSL ciphers, protocols, and server options to match your security policy
- Click OK to save and apply
One certificate can be assigned to multiple virtual servers, provided the certificate's common name or SAN entries match each server's hostname or IP.
How to Configure SSL Offloading in FortiGate (Step 3 - Optional)
FortiGate SSL offloading configuration shifts the SSL/TLS encryption and decryption workload from your backend servers to the FortiGate appliance itself. This reduces processing load on web servers and can improve overall throughput on high-traffic environments.
- Navigate to Policy & Objects > Virtual Servers
- Open or create the target virtual server
- Go to the Server Load Balance section
- Enable SSL Mode and select SSL Offloading or Full SSL Offloading
- Configure any additional SSL cipher and protocol options as needed
- Click OK to apply
SSL offloading is particularly useful when backend servers lack hardware acceleration for cryptographic operations. Note that with full SSL offloading, traffic between FortiGate and backend servers travels unencrypted - ensure your internal network segment is properly secured before enabling it.
How to Verify SSL Certificate Installation in FortiGate (Step 4)
Verify SSL certificate installation FortiGate - always test after completing the configuration steps.
- Open a browser and navigate to the domain or web application secured by the certificate
- Confirm the padlock icon appears in the address bar - this confirms TLS is active
- Click the padlock to inspect certificate details: issuer, expiry date, and common name should all match your installed certificate
- For a deeper validation, use the Qualys SSL Labs Server Test to check cipher support, protocol versions, and chain completeness
If the certificate chain is incomplete, browsers will show a security warning even if the leaf certificate is correctly installed. This is the most common post-installation issue - revisit Step 1 and confirm the intermediate CA certificate was uploaded.
What Are the FortiGate SSL Certificate Renewal Steps?
FortiGate SSL certificate renewal process - SSL certificates expire, and an expired certificate on a firewall triggers browser warnings, breaks SSL VPN connections, and disrupts inspection policies.
To renew and replace a certificate:
- Obtain a new certificate from your CA - start the renewal process at least 30 days before expiration
- Log in to FortiGate and navigate to System > Certificates > Local Certificates
- Locate the expiring certificate and click Import
- Upload the new certificate file, private key, and intermediate CA file
- Click OK to import
- Return to Policy & Objects > Virtual Servers and reassign the new certificate to all relevant virtual servers - the old certificate does not auto-update on existing assignments
How to back up an SSL certificate in FortiGate: Go to System > Certificates > Local Certificates, select the certificate, click Export, choose your format (.cer, .p12, or PKCS12), enter a password if prompted, and download. Store private key backups in a secure, access-controlled location - they should never be shared over email or stored unencrypted.
How to Set Up SSL Certificate Monitoring and Expiry Alerts in FortiGate
FortiGate certificate monitoring expiry alerts keep you ahead of renewals before they become emergencies.
- Navigate to System > Certificates > Certificate Monitor
- Enable the Certificate Monitor option
- Set the Monitoring Interval - daily checks are appropriate for production environments
- Enter the email address(es) to receive expiry notifications
- Set the notification threshold - 30 days in advance is a common default; consider 60 days for certificates with longer procurement lead times
- Click OK to save
With monitoring enabled, FortiGate will automatically alert you as certificates approach expiration, giving you time to renew without service disruption.
How to Troubleshoot SSL Certificate Errors in FortiGate
FortiGate certificate expired error fix and other common SSL issues follow a predictable diagnostic pattern.
| Error Message | Cause | Fix |
| Certificate expired | Validity period has elapsed | Renew and reimport the certificate |
| Certificate not yet valid | Clock mismatch or pre-dated cert | Check FortiGate system time (NTP sync) |
| Certificate revoked | CA has invalidated the certificate | Obtain a replacement from your CA |
| SSL certificate chain incomplete FortiGate | Missing intermediate CA | Re-import with the full chain file |
| Certificate name mismatch | CN/SAN doesn't match hostname | Reissue the certificate for the correct domain |
SSL certificate verification and troubleshooting tools:
- Qualys SSL Labs Server Test: full analysis of cipher suites, protocols, and chain validation
- SSLInsights SSL Checker: free SSL checker tool to verify certificate validity and configuration details
- FortiGate Debug Logs: navigate to Log & Report > Log Settings, enable SSL VPN Log at "Debug" level, then review at Log & Report > View Logs, filtered to "SSL VPN" event type
What Are the Best Practices for SSL Certificate Management on FortiGate?
Best practices SSL certificate management FortiGate come down to five disciplines that most organizations only adopt after a painful outage or security incident.
- Use trusted Certificate Authorities. Self-signed certificates work for internal testing but generate browser warnings in production and are rejected by many clients. Always use a CA-issued certificate for any externally facing service. A self-signed certificate FortiGate pros cons comparison: self-signed certs are free and instantly generated but lack third-party trust, fail browser validation, and require manual distribution to every client that needs to trust them.
- Enforce certificate lifecycle discipline. Set monitoring alerts at 60 and 30 days before expiration. Track all certificates in a central inventory - FortiGate's Certificate Monitor handles this natively, but organizations running multiple appliances benefit from a unified certificate lifecycle management platform.
- Restrict access to private keys. Private key files should be readable only by the FortiGate system account and the administrators who import them. Never transmit private keys over email or store them on shared drives.
- Keep FortiOS current. A FortiGate SSL VPN certificate vs local certificate distinction matters here: SSL VPN certificates are used for the VPN portal itself; local certificates are used for web server protection via virtual servers. Both require the underlying FortiOS to be patched. Fortinet has actively addressed authentication bypass and post-exploitation vulnerabilities in FortiOS - keeping firmware current is the single most important step in preventing certificate-adjacent attacks on your firewall.
- Enable SSL offloading where appropriate. If your backend servers are CPU-constrained, offloading TLS termination to FortiGate reduces their load and centralizes cipher policy management at the firewall level.
With certificate monitoring enabled, FortiGate will periodically check the validity and expiration status of your SSL certificates and send notifications based on the configured settings, allowing you to proactively manage and renew expiring certificates.
Final Words
Installing an SSL certificate on FortiGate is a four-step process: import, assign, optionally offload, then verify. Getting it right the first time means having your certificate files, private key, and intermediate CA ready before you start - and verifying the full chain after installation. Use FortiGate's built-in Certificate Monitor to stay ahead of renewals, follow the SSL installation guide for related platform deployments, and keep FortiOS patched to protect the underlying infrastructure your certificates depend on.
FAQs About FortiGate SSL Certificate Installation
What certificates does FortiGate support?
FortiGate supports DV, OV, EV, Wildcard, and Multi-Domain (SAN/UCC) SSL certificates from any trusted CA. The choice depends on whether you need organizational validation, multi-domain coverage, or wildcard subdomain protection.
Can I use a wildcard SSL on FortiGate?
Yes. Wildcard certificates work on FortiGate and can be assigned to virtual servers covering any subdomain under the licensed domain (e.g., *.example.com). Import the wildcard certificate and key the same way as a standard certificate.
How do I check SSL certificate expiry in FortiGate?
Navigate to System > Certificates > Local Certificates to see all installed certificates with their expiration dates. You can also enable Certificate Monitor under System > Certificates to receive automatic email alerts before certificates expire.
What are the pros and cons of using a self-signed certificate on FortiGate?
Self-signed certificates are useful for internal lab or test environments where you control the client trust stores. For production use, they cause browser security warnings, fail third-party authentication checks, and are not suitable for external-facing applications. Always use a CA-issued SSL certificate in production.
What should I do if the certificate chain is incomplete in FortiGate?
Re-import the certificate and include the intermediate CA certificate file(s) in the upload step. If your CA provided a bundle file (.ca-bundle or chain .crt), upload that in the "Certificate Intermediate CA Certificate" section during import.
What are FortiGate’s SSL VPN certificate requirements?
For SSL VPN, FortiGate uses a local certificate to authenticate the VPN portal to connecting clients. The certificate's CN or SAN must match the FortiGate's external DNS hostname. Clients must trust the issuing CA - use a publicly trusted CA-issued certificate to avoid manual root certificate distribution to every VPN client.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
