We are in the process on testing fortiweb to eventually deploy a vm-based solution.
For now, I have something working, and I am able to pass trafic trough the fortiweb (reverse proxy mode) to access the webserver I am user for now.
I was able to add certificate, and use SNI to access different websites on that server.
So, when a certificate is about to expire or need to be replace, I cannot import the new certificate, nor the certificate/key pair. I get an error that it exists and need to delete first. I cannot delete a given certificat since it's used in an SNI list.
So how are-we suppose to replace existing certs that are being used ? If do it by hand, best case it'll take like 30 seconds. During that time, clients would get another cert or an error. That's not verry acceptable.
I could always use the API to do it quickly in a second or so. But I would need to delete that cert from the SNI policy, and I haven't figured how, then delete the cert, re-upload the new cert, and then re-add the cert to the SNI policy.
Speaking of wich, is there a more detailed documentation of the API, as for what is the syntax to be used for each call ? I only found a quick reference basicly listing the possible calls.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Haven't been on a fortiweb for awhile but could you create a new policy with the new-certificate and apply that policy?
After you apply the new policy, you go back and deleted the older expire server-certificate.
PCNSE
NSE
StrongSwan
emnoc wrote:Thanks,Haven't been on a fortiweb for awhile but could you create a new policy with the new-certificate and apply that policy?
After you apply the new policy, you go back and deleted the older expire server-certificate.
But still even if the cert isn't used anywhere, we cannot import a certificate that has the same CN.
Using the CLI, I was able to add a new certificate that add the same name, with the date at the end for exemple, and then edit the sni profile and replace the used cert by that new one.
That is exacly what I want to do with the API. I'll try using what I used with the cli, but with json. But an api call to :
/api/v1.0/System/Certificates/SNI/SETNAME
Only list the sni profiles lists, wheter or not I add the sni set name... I'll continue my test tomorrow.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.