Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nicolasross
New Contributor III

How to replace / renew a certificate ?

We are in the process on testing fortiweb to eventually deploy a vm-based solution.

 

For now, I have something working, and I am able to pass trafic trough the fortiweb (reverse proxy mode) to access the webserver I am user for now.

 

I was able to add certificate, and use SNI to access different websites on that server.

 

So, when a certificate is about to expire or need to be replace, I cannot import the new certificate, nor the certificate/key pair. I get an error that it exists and need to delete first. I cannot delete a given certificat since it's used in an SNI list.

 

So how are-we suppose to replace existing certs that are being used ? If do it by hand, best case it'll take like 30 seconds. During that time, clients would get another cert or an error. That's not verry acceptable.

 

I could always use the API to do it quickly in a second or so. But I would need to delete that cert from the SNI policy, and I haven't figured how, then delete the cert, re-upload the new cert, and then re-add the cert to the SNI policy.

 

Speaking of wich, is there a more detailed documentation of the API, as for what is the syntax to be used for each call ? I only found a quick reference basicly listing the possible calls.

3 REPLIES 3
emnoc
Esteemed Contributor III

Haven't been on a fortiweb for awhile but could you  create a new policy with the new-certificate and apply that policy?

 

After you apply the new policy, you go back and deleted the older expire server-certificate.

 

PCNSE 

NSE 

StrongSwan  

nicolasross
New Contributor III

emnoc wrote:

Haven't been on a fortiweb for awhile but could you  create a new policy with the new-certificate and apply that policy?

 

After you apply the new policy, you go back and deleted the older expire server-certificate.

Thanks,

 

But still even if the cert isn't used anywhere, we cannot import a certificate that has the same CN.

nicolasross

Using the CLI, I was able to add a new certificate that add the same name, with the date at the end for exemple, and then edit the sni profile and replace the used cert by that new one.

 

That is exacly what I want to do with the API. I'll try using what I used with the cli, but with json. But an api call to :

 

/api/v1.0/System/Certificates/SNI/SETNAME

Only list the sni profiles lists, wheter or not I add the sni set name... I'll continue my test tomorrow.