FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
This article discusses how to use the API to export certificates from FortiAuthenticator.
Scope
FortiAuthenticator.
Solution
Create an API user by referring to the documentation. After doing this, note the username and API key for the user.
Navigate to Network -> Interfaces and double-click on the interface (specifically the one which has the IP used in the URI field in the script). Ensure that REST API (/api) is enabled. Navigate to Administration -> System Access and download the HTTPS certificate, then place it in the trusted root certificate store on the client machine from which the API call will be made.
Now, use the following PowerShell script to make the API call:
$u = "(username of admin account)" $p = "(apikey)" $pair = "$($u):$($p)" $encodedCredentials = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($Pair)) $headers = @{ Authorization = "Basic $encodedCredentials" } add-type @" using System.Net; using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy { public bool CheckValidationResult( ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) { return true; } } "@ [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
Invoke-WebRequest -Uri "https://fac IP/api/v1/usercerts/" -Method GET -Headers $headers -OutFile "cert.txt"
