Technical Tip: How to deploy a certificate to multiple FortiGates in FortiManager using provisioning templates

To deploy certificates using Provisioning Templates, the following process can be followed:

1. Log in to FortiManager.
2. Proceed to Device Manager -> Provisioning Templates.
3. Proceed to the CLI template tab.

4. Create a new CLI template and fill out the information, as per the following figure:

When the certificate is in PFX or PFX12 format, it will not appear as text because it is encrypted. Nonetheless, this can be converted to PEM format (clear text) using the procedure documented in Technical Tip: How to Convert a PKCS#12 Certificate to Legacy Format for FortiManager/FortiAnalyzer.

Configuration elements:

config vpn certificate local     edit "March2024-HTTPS-ADVPN"         set password ENC <pwd>         set comments ''         set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----           key ..         -----END ENCRYPTED PRIVATE KEY-----"         set certificate "-----BEGIN CERTIFICATE-----           key ..         -----END CERTIFICATE-----"         set range global         set source user         set source-ip 0.0.0.0         set ike-localid-type asn1dn         set enroll-protocol none     next end

5. The last step is to assign the template to the FortiGate(s). There are two possible methods through which to assign the certificate:

Method 1: Individual:

Assign it to a device or group by moving the FortiGates from Available Entries to Selected Entries.

Method 2: Through template groups and template CLI groups.

Assign the recently created CLI script to the CLI template group by creating or modifying a template.

Troubleshooting:

The following commands can be used on the FortiManager CLI to debug the Installation:

diagnose debug application securityconsole 255

diagnose debug enable