Using a custom certificate
OCI requires a mechanism to append a certain signature/credential in making API requests. Currently FortiGate uses a certificate to do so. You must specify a certificate on the FortiGate for OCI when configuring A-P HA. The certificate calls APIs to OCI. In the previous deployment step, you used a built-in FortiGate certificate called "Fortinet_Factory".
For greater security, OCI recommends rotating the security element periodically. You may want to change the default certificate after some time, or if you have multiple sets of A-P HA clusters, you may want to use a different certificate for each cluster initially.
This section explains how to replace the certificate. This example uses a self-signed certificate that you created for your organization outside of the FortiGate. For details about the certificates that OCI requires, see Request Signatures.
You need three files:
- Certificate file (for use on the FortiGate)
- Key file (for use on the FortiGate)
- PEM file (for use on OCI)
The signing algorithm must be RSA SHA-256. In this example, you have used an RSA-2048-bit key to create a certificate.
- Import your custom certificate to the primary FortiGate. There is no need to do the same on the secondary unit, as A-P HA enables a feature called configuration synchronization, where the certificate is automatically applied to the secondary unit with the FortiOS configuration:
- Log into the primary FortiGate and go to System > Certificates. The list of available FortiGate certificates displays.
- Have a pair of the certificate and key files ready on the PC.
- Click Import > Local Certificate. In the Import Certificate panel, for Type, select Certificate.
- Upload the pair of certificate and key files. In this example, the file names are apache-selfsigned.crt and apache-selfsigned.key, respectively. Enter the password if any, and name the certificate as desired. Click OK.
- The certificate displays on the screen. Double-click to show certificate detail.
- Edit the OCI Fabric connector created earlier. You can do this via the GUI or the CLI.
- To edit the Fabric connector via the GUI, do the following:
- Go to Security Fabric > Fabric Connectors.
- Select the Fabric connector, then click Edit.
- From the OCI certificate dropdown list, select the newly created certificate.
- Click OK.
- To edit the Fabric connector via the CLI, do the following:
- Open the CLI console in the FortiGate-VM management console.
- Enter CLI commands as follows to point to the new certificate. The
show
command shows what is currently configured.next
andend
save the configuration and returns to the original indentation with which you started. Replaceoci-sdn
with the name you configured for your Fabric connector, and enter the desired certificate name. The example certificate name is jkato-new-cert1.config system sdn-connector
edit oci-sdn
set oci-cert “your_certificate_name”
next
end
You can see the configuration by running
get OCI_connector_name
.
- To edit the Fabric connector via the GUI, do the following:
- Next, you must add a new fingerprint for the user based on the new certificate's PEM. Log into the OCI compute portal and locate the user, which you specified with user-id above.
- Select the user and go to API Keys. Click Add Public Key.
- Copy and paste the content of the PEM key. Click Add.
You should see that a new fingerprint has been added. You can also see the fingerprint in the CLI by running the
get OCI_connector_name
command. - Check if you can successfully make API calls by referring to Troubleshooting OCI Fabric connector.