FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
npaiva
Staff
Staff
Article Id 255367
Description

 

This article describes how to upload a certificate to FortiGate using a REST API.

 

Scope

 

FortiGate, REST API.

 

Solution

 

This document assumes the REST API Administrator user has already been created and the API Key is ready for authentication.

The following self signed certificate and key in BASE64 format will be used for the demonstration and attached to this technical doc for testing purposes:

 

cert screenshot.png

 

self-signed.png

 

The following parameters can be used to upload a certificate to the FortiGate:

 

{

  "type": "string",

  "certname": "string",

  "password": "string",

  "key_file_content": "string",

  "scope": "string",

  "acme_domain": "string",

  "acme_email": "string",

  "acme_ca_url": "string",

  "acme_rsa_key_size": 0,

  "acme_renew_window": 0,

  "file_content": "string"

}

 

 

For our example we will just use the following, as out private key is not encrypted with a password:

 

{

  "type": "string",

  "certname": "string",

  "key_file_content": "string",

  "scope": "string",

  "file_content": "string"

}

 

Postman will be the tool used to perform the API calls to the FortiGate in this article. The following path will be used:

 

https://Fortigate-IP-and-HTTPS-admin-port/api/v2/monitor/vpn-certificate/local/import?scope=global&a...

 

On Postman, create a new collection for the FortiGate and then create a new request. Change this new request to have the POST type, and rename it as desired:

 

newpost.png

 

Select Body, change the format to JSON, and paste the parameters:

 

body.png

 

Next, prepare both the private key and .crt file. Remove all breaks to ensure the entire file is a single, long string and remove the '-----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-------' and '---BEGIN CERTIFICATE----- -----END CERTIFICATE-----'.

Open the files in a preferred text editor, such as Notepad++. The private key will look like this initially:

 

privatekey-contents.png

 

Start by deleting the end and beginning lines of the private keys:

 

delete-lines.png

 

Next, reduce the contents to a single string. One way to do this is to use Ctrl+H to open Notepad++'s Replace tool and do the following:

 

1) Check the Wrap around option.

2) Choose the Regular expression search mode.

3) Fill in the regex (\h*\R)+ in the Find what: zone.

4) Fill in the regex \x20 in the Replace with: zone.

5) Select Replace All.

 

The key file will now be a single string with a few spaces introduced:

 

regex.png

 

To remove those spaces, run another Find and Replace operation to replace the space character (' ') with nothing (leave the 'Replace with' field blank).

 

spaces.png

 

The key file will now consist of a single string without spaces. Repeat this process for the .crt file.

 

Next, insert the parameters in postman:

 

params-filled.png

 

Select Send to get a success message:

 

success.png

 

Upon accessing the FortiGate, it should be possible to verify that the certificate successfully uploaded:

 

test-domain-fgt.png

Comments
Yezheng
Staff
Staff

If failed, expected API response is no response?

Yezheng
Staff
Staff

Can start with simple one:
If I have a certificate and private key files (locally), how can I put it to one FortiGate via terminal command/cli script:
like the following but following does not work
config vpn certificate local
edit "Your_Certificate_Name"
set certificate ""
set range global
next
end
https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/379103/uploading-a-certifica...
https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/322226/uploading-a-certifica... (this is GUI, not helpful)
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/825073/procure-and-import-a-signed-ssl-...
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/45329/tls-configuration

Contributors