Import Cert to FortiGate FortiOS

Hi All, I’m trying to develop a script that will export a multi SAN cert from CTW and then upload it to a FortiGate unit running FortiOS 7.0.1.

I know this version has limited ability to do it’s own request but it needs an ACME challenge server behind it so it’s much simpler if I can get it from my CTW instance uploaded to the FortiGate and then I can run an additional command to set it for a particular usage.

If anyone has even some basic clues to follow or some examples, that’d be extremely helpful.

Just to clarify, the cert is generating fine on my Windows 2019 box and it goes into the local certificate store without issue.

I don’t know anything about FortiGate myself but a useful feature of Certify is Deployment Tasks (under Tasks) - these are steps you can add at the end of certificate renewal to convert and deploy the certificate in various ways. You can also add a task and run it immediately if you already have a working certificate.

Some of the tasks include:

  • Deploy to Generic Server: this can export as .pem format files (.crt, .key etc) and optionally copy the file over SFTP to a remote host.
  • Script: this can run local scripts or even SSH into a remote host and run scripts there.

Ideally you need the fortigate to have an API you can push the certificate to, or accept SSH/SFTP, or in some cases people use powershell etc to login to the web UI and post files etc, but that’s a bit brittle if the admin UI ever changes.

It looks to me like the FortiGate OS has some built in support for ACME (e.g. Let’s Encrypt) if you look at the CLI section at the bottom of this document: New Features | FortiGate / FortiOS 7.0.0 | Fortinet Documentation Library

1 Like

I had written a script prior to FortiOS 7 that could do this (not from certifytheweb but actually from Win-Acme. It used a whole bunch of commands using a script for Putty. It wasn’t elegant and wasn’t secure but it worked.

The Fortigate can now do this on it’s own, though I don’t think with multi-SAN. If that is absolutely needed I would actually look for a way to do it via the Fortigate API and then try to figure it out as a web deployment task.

If you want though I can find (I hope) and send my old scripts. But honestly it seems like in this case I would allow the Fortigate to do it on it’s own.

1 Like

If you could find them I think that’d be a fantastic help. The main requirement I have is to grab the cert that CTW generates and upload it because

  1. The FortiGate using it’s built in Let’s Encrypt option won’t allow SAN or Wildcard, only single name certs and the objective is to use the certificate for Web Load Balancing, SSL-VPN and Management interface, all with different FQDN’s

  2. Using the built in engine also expects that there is ACME server sitting behind the requesting IP and I’m not keen on that as it adds complexity (As well as a Linux box which I’m not keen on managing)

Definitely appreciate the replies so far

Thanks webprofusion,

The FortiGate definitely has an API, and being really upfront, I wouldn’t have a clue how to use it. I’m doing a bit of research at the moment however if I could do something in PowerShell like nsummer uses, I think I’d be far more competent at fixing it long term if I had to do any troubleshooting.

1 Like