Thanks.  You wrote it in python.  Nice.  I thought I would be doing bash commands.  

/home/<user>/certs has the pem files, key-file, and pfx

I want to get these files to import into the FortiOS.   I started looking at FortiOS API calls to do it.   

I will be posting my final solution with all the code when I am done.   

Here is the code I used to pull the E8 root certificate from 

change website to your web site.   

openssl s_client -showcerts -verify 5 -connect website:443 < /dev/null |
   awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}'
for cert in *.pem; do 
        newname=$(openssl x509 -noout -subject -in $cert | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem
        echo "${newname}"; mv "${cert}" "${newname}" 
done

I setup a user for SCP on the web server.  Made an ED25519 key and installed it on the same user name who is a super_admin on my 61F.   I can now use that user without a password to access the 61F.   The fortios backup works without a password.  I can back up to the web server.   

I created a file that copies the cert and the key.  It combines them for a full chain cert.   Still working on copying it to /etc/cert/local on the 61F.

I install them from Let's Encrypt.   I had to use a script to create the E8 root certificate.   I use the fullchain certificate to install.   I can help you get them done.