Technical Tip: Pushing SSL Certificates to FortiGate Devices via FortiManager using Script

Description

This article describes how to push local SSL certificates from FortiGates to all connected FortiGate devices through FortiManager. It provides a step-by-step guide on using a script to run on remote FortiGates via CLI.

Scope

FortiManager, FortiGate.

Solution

To push SSL certificates to all FortiGates that are already integrated with FortiManager:

• Get the full config of the SSL certificate in the CLI config.

FGT-HUB (labtest) # show full
config vpn certificate local
edit "labtest"
set password ENC 4XiV4sTxRXGmvPCFNcDVqAosqkWdNX4FSc8FNJV/88vdmLMVidUpU/IV/n5hoeJu2AEc7gMavac6brlERVgMDueDLSM4f3BQSzRolAnAxnyCt47V1VCPHANOcA9jmGF4CHGO9LxfL4JHRFJEimAlxo9qgjTn9gAPETs8QP8RARUn9y423a7CMOX69aaMUrJ/QVzxlw==
set comments "This certificate is automatically generated."
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
............................................................................

............................................................................

........................
-----END ENCRYPTED PRIVATE KEY-----"
set certificate "-----BEGIN CERTIFICATE-----
............................................................................

............................................................................

......................
-----END CERTIFICATE-----"
set range global
set source user
set source-ip 0.0.0.0
set ike-localid-type asn1dn
set enroll-protocol none
next
end

• Put the config under Scripts in FortiManager -> Device Manager -> Scripts -> Create New, as shown in the example below:

• Use a script and run it on the Remote FortiGate directly (via CLI), as per below:

Related article:

Technical Tip: CLI Script behavior to run in FortiManager