Skip to main content
SCSIraidGURU1
SCSIraidGURU1
Explorer
October 14, 2025
Question

SCP a certificate from my web server to FortiOS

  • October 14, 2025
  • 4 replies
  • 797 views

I have Let's Encrypt on my Ubuntu Web Server.   It generates a certificate with the firewall certificate: 
DNS Name: firewall.scsiraidguru.com DNS Name: learningwp.scsiraidguru.com DNS Name: mc.scsiraidguru.com DNS Name: patrickmckenneylandscaping.com DNS Name: scsiraidguru.com DNS Name: www.patrickmckenneylandscaping.com DNS Name: www.scsiraidguru.com

 

 

every 60-90 days.  I setup SCP account and rsa-ID on the Web Server and Fortinet 61F.   I setup a test backup file.   It can get a backup from the FortiOS and copy it back to the Web Server.   I want to automate the certificate import from the Web Server to FortiOS.   

I setup a copy.sh file that will compare the new certificate to the copy in my home cert directory.  When it changes, it copies the new pem files into my home cert directory.  It then creates a pfx file in the home cert directory.   I want to get the FortiOS to import the new certificate from the web server.   Create a new deep inspection certificate from it.   Change the policies with the new deep inspection certs for the web site.   Then, replace the other certificates that need to be updated.   I can't use FortiOS Let's Encrypt service.  I doesn't work.  The DNS record changes break the web server.   

4 replies

distillednetwork
distillednetwork
Explorer II
October 14, 2025

I created a script before that would daily take the Let's encrypt certificate on a web server and update the certificate in the FortiGate.  You can do this with a bash script that SSH into he device and runs the necessary commands and manually updates the certificate, or look at the APIs of the FortiGate and execute that way.  This will need to be something that reaches out to the FortiGate to make those changes, as opposed to something that would run on the firewall itself.  

 

I was not doing the DPI part of it, but if I can dig up the script could give you a starting point.

    SCSIraidGURU1
    SCSIraidGURU1Author
    Explorer
    October 14, 2025

    I agree

    I can ssh to the Fortinet 61F from Web Server.  I copied the RSA-ID key for the scp user to the 61F.   

    fnsysctl ls -la /data/etc/cert/local shows me the certificate directory.   I am still looking for the APIs for FortiOS.  

    Do you still have the script?  Can you share it?  

    distillednetwork
    distillednetwork
    Explorer II
    October 14, 2025

    I just pulled it up, and it is using the API.  Basically, I would run the script every day, upload the cert of the day (could be the same as yesterday's), and replace the web and SSL-VPN certs.  Its not perfect, but could be a good starting point.

     

    https://github.com/distillednetworks/FGT-SSLSync

      SCSIraidGURU1
      SCSIraidGURU1Author
      Explorer
      October 14, 2025

      Thanks.  You wrote it in python.  Nice.  I thought I would be doing bash commands.  

       

      /home/<user>/certs has the pem files, key-file, and pfx

       

      I want to get these files to import into the FortiOS.   I started looking at FortiOS API calls to do it.   

      I will be posting my final solution with all the code when I am done.   

      Here is the code I used to pull the E8 root certificate from 

      change website to your web site.   

       

      openssl s_client -showcerts -verify 5 -connect website:443 < /dev/null |    awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}' for cert in *.pem; do          newname=$(openssl x509 -noout -subject -in $cert | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem         echo "${newname}"; mv "${cert}" "${newname}"  done

       

       

      SCSIraidGURU1
      SCSIraidGURU1Author
      Explorer
      October 26, 2025

      I setup a user for SCP on the web server.  Made an ED25519 key and installed it on the same user name who is a super_admin on my 61F.   I can now use that user without a password to access the 61F.   The fortios backup works without a password.  I can back up to the web server.   

      I created a file that copies the cert and the key.  It combines them for a full chain cert.   Still working on copying it to /etc/cert/local on the 61F.

      wukanbu1
      wukanbu1
      New Member
      October 26, 2025

      I'm not sure what firmware version you're on but I've always had trouble with root or inter CAs and the GUI. Adding through cli was the only sure way then everything worked.

      SCSIraidGURU1
      SCSIraidGURU1Author
      Explorer
      October 27, 2025

      I install them from Let's Encrypt.   I had to use a script to create the E8 root certificate.   I use the fullchain certificate to install.   I can help you get them done.   

      Terms & ConditionsAccessibility statement