Chapter 3 Authentication for FortiOS 5.0 : Certificate-based authentication : Managing X.509 certificates : Backing up and restoring local certificates
  
Backing up and restoring local certificates
The FortiGate unit provides a way to export and import a server certificate and the FortiGate unit’s personal key through the CLI. If required (to restore the FortiGate unit configuration), you can import the exported file through the System > Certificates > Local Certificates page of the web-based manager.
 
As an alternative, you can back up and restore the entire FortiGate configuration through the System Information widget on the Dashboard of the web-based manager. Look for [Backup] and [Restore] in the System Configuration row. The backup file is created in a FortiGate-proprietary format.
To export a server certificate and private key - CLI
This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible to the FortiGate unit before you enter the command.
1. Connect to the FortiGate unit through the CLI.
2. Type the following command:
execute vpn certificate local export tftp <cert_name> <exp_filename> <tftp_ip>
where:
<cert_name> is the name of the server certificate; typing ? displays a list of installed server certificates.
<exp_filename> is a name for the output file.
<tftp_ip> is the IP address assigned to the TFTP server host interface.
3 Move the output file from the TFTP server location to the management computer for future reference.
To import a server certificate and private key - web-based manager
1. Go to System > Certificates > Local Certificates and select Import.
2. In Type, select PKCS12 Certificate.
3. Select Browse. Browse to the location on the management computer where the exported file has been saved, select the file, and then select Open.
4. In the Password field, type the password needed to upload the exported file.
5. Select OK, and then select Return.
To import separate server certificate and private key files - web-based manager
Use the following procedure to import a server certificate and the associated private key file when the server certificate request and private key were not generated by the FortiGate unit. The two files to import must be available on the management computer.
1. Go to System > Certificates > Local Certificates and select Import.
2. In Type, select Certificate.
3. Select the Browse button beside the Certificate file field. Browse to the location on the management computer where the certificate file has been saved, select the file, and then select Open.
4. Select the Browse button beside the Key file field. Browse to the location on the management computer where the key file has been saved, select the file, and then select Open.
5. If required, in the Password field, type the associated password, and then select OK.
6. Select Return.