Staff

Technical Tip: How to create Certificate Template and assign it to a device using JSON API

Forum|Forum|11 months ago
June 17, 2025
0 replies
512 views

Description

This article describes how to create a Certificate Template and generate certificates for FortiGates using the FortiManager JSON API.

Scope

FortiManager.

Solution

FortiManager Certificate Template has two types of certificate templates:

Local: FortiManager itself acts as a Certificate Authority.
External: Uses the Simple Certificate Enrollment Protocol (SCEP) to enroll with an external Certificate Authority.

Add Template:

Local Certificate Template:

{

"method": "add",

"params": [

{

"data": {

"name": "{{CERT_NAME}}",

"digest-type": "sha256",

"key-size": "4096",

"key-type": "rsa",

"type": "local",

"organization-unit": "{{OU}}",

"organization": "{{ORG}}",

"city": "{{CITY}}",

"email": "{{EMAIL}}",

"state": "{{STATE}}",

"country": "{{COUNTRY}}"

},

"url": "/pm/config/adom/{{ADOM}}/obj/certificate/template"

}

],

"id": "1",

"session": "{{session}}"

}

External Certificate Template: Any external Certificate Server supporting Simple Certificate Enrollment Protocol (SCEP) can be used, including FortiAuthenticator.

{

"method": "add",

"params": [

{

"data": {

"name": "{{CERT_NAME}}",

"digest-type": "sha256",

"key-size": "4096",

"key-type": "rsa",

"type": "external",

"organization-unit": "{{OU}}",

"organization": "{{ORG}}",

"city": "{{CITY}}",

"email": "{{EMAIL}}",

"state": "{{STATE}}",

"country": "{{COUNTRY}}",

"id-type": "host-ip",

"subject-name": "{{IP}}",

"scep-server": "{{SCEP_Server_URL}}",

"scep-password": "{{SCEP_Challenge_Password}}}",

"scep-ca-identifier": "{{SCEP_Identifier}}"

},

"url": "/pm/config/adom/{{ADOM}}/obj/certificate/template"

}

],

"id": "1",

"session": "{{session}}"

}

Generate Certificate:

{

"method": "exec",

"params": [

{

"url": "/securityconsole/sign/certificate/template",

"data": {

"adom": "root",

"template": "adom/{{ADOM}}/obj/certificate/template/{{CERT_NAME}}",

"scope": [

{

"name": "{{FortiGate_Device_Name}}",

"vdom": "root"

}

]

}

],

"id": "1",

"session": "{{session}}"

}

This creates a new Task. In this case, task #5 - check the task to see progress:

{

"method": "get",

"params": [

{

"url": "/task/task/5"

}

],

"id": "1",

"session": "{{session}}"

}

Sample output:

The same Task can be checked in FortiManager GUI: System Settings -> Task Monitor:

Check the newly generated certificate in the FortiManager Device Database for the FortiGate:

{

"method": "get",

"params": [

{

"url": "/pm/config/device/{{FortiGate_Device_Name}}/vdom/{{VDOM}}/vpn/certificate/local/{{CERT_NAME}}"

}

],

"id": "1",

"session": "{{session}}"

}

Sample output:

On FortiManager GUI: Device Manager -> Device & Objects -> Managed FortiGate -> Select the FortiGate > System -> Certificates:

Note:

In case the certificate generation fails (in step 2), use the debug commands below to collect logs:

diagnose debugs application securityconsole 255

diagnose de en

Attached is the Postman API collection, which can be imported directly into Postman

Related documents:

Certificate templates

Technical Tip: Using FortiManager API

Fortinet Development Network (FNDN) - FortiManager

FortiAuthenticator Certificate Management

Technical Tip: Certificate Template with SCEP enrollment, using FortiAuthenticator as external CA

Technical Tip: How to create a CLI Template and Pre-Run CLI Template using JSON API

Technical Tip: How to create IPSec Template and assign to a device using JSON API

Certificate_Template_postman_collection.zip

Fortimanager

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded