Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
vraev
Staff
Staff

Created on ‎10-01-2024 02:05 AM Edited on ‎10-14-2024 02:19 AM By Moderator

Article Id 346087

Technical Tip: Creating of script to insert the CA and Local certificate and change the FortiGate GUI settings from the FortiManager

Description

 

This article describes the steps how to create a new script that will insert the CA and Local certificate and change the FortiGate GUI settings to use the newly provided certificate.

 

Scope

 

FortiManager.

 

Solution

 

Create a new CA cert under the DM -> Device & Groups -> Managed FortiGate ->'FGT_name' -> CLI configurations (check it under Feature Visibility) -> VPN -> certificate -> CA -> Create New.

 

 

FMG_creating_CA1.png

 

Important fields are:

  • Name.

  • CA.

  • Range.

 

Then under VPN -> certificate -> local -> Create New.

 

 

FMG_creating_local1.png

 

 

Fill in the following fields (not all of them are present in the screenshot):

 

  • name: Example_local_cert.

  • certificate:

  • password:

  • private-key:

  • range: Global

 

Make a change under System -> Global.

 

 

admin-server-cert: Example_local_cert.

 

 

FMG_global1.png

 

 

Then from the Install Wizard, install Device Settings (only), install preview, and select Download.

 

The following output can be used to create the new script.

 

config vpn certificate local

    edit "FAR_LOCAL"

        set password ENC Z8Zpc/bwU2j1HxCFsp0zLVsmSUfQ2

        set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----

MIIJrTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIPD6OIfSZpVoCAggA

Fnh4+qdMZkLi3MYWSmWVFsd5ZtMcXQ2JFeNw3Q09lIxT

-----END ENCRYPTED PRIVATE KEY-----"

        set certificate "-----BEGIN CERTIFICATE-----

MIIFJjCCAw6gAwIBAgIJANlyW9g4KGDSMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNV

2n2Dw3Wf+KJdHWy9G2PcW7oG37bMDl8phOA=

-----END CERTIFICATE-----"

        set range global

    next

end

 

config system global

    set admin-server-cert "FAR_LOCAL"

end

 

config vpn certificate ca

    edit "FAR_CA"

        set ca "-----BEGIN CERTIFICATE-----

MIIFZTCCA02gAwIBAgIIddfjdvgdelswDQYJKoZIhvcNAQELBQAwGDEWMBQGA1UE

AwwNKi5leGFtcGxlLmNvbTAeFw0yNDAxMzExMDQwNDhaFw0zNDAxMjgxMDQwNDha

usVnBskmcosCdizcnWNC8vzg7KU4+189WNukfw7HVSFlvrarHTOchxQ=

-----END CERTIFICATE-----"

        set range global

    next

end

 

 

To create the script, go under DM -> Scripts -> Create New.

 

 

FMG_creating_cli_script1.png

 

 

To run the script, go under DM -> Scripts -> 'Script_name' -> Run Script -> Select device/s.

 

 

FMG_creating_cli_script2.png

 

 

After the successful execution of the script on one device in the device DB for a test can proceed with Install.

 

When there is a .p12 file with the certificate that will be used can use the following command to extract the local certificate, the CA certificate, and the PEM (this is the order in which they are present currently).

 

openssl pkcs12 -info -in FAR.p12

 

It will request the password to decrypt it and all of the information will be present in the CLI from where it can be copied to the required fields.

 

Troubleshooting:

  • Run the below commands in FortiManager CLI before the installation from FortiManager to FortiGate to troubleshoot any issues that might appear during the installation:

 

diagnose debug application securityconsole 255

diagnose debug enable

 

Related article:

Technical Tip: SAML SSO user group setup for a managed FortiGate

411
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.