Fortinet black logo

Administration Guide

Uploading a certificate using an API

Uploading a certificate using an API

There are several API methods to upload a certificate based on the type and purpose of the certificate. The parameters of each method are available options, and some methods do not require all parameters to upload the certificate.

When uploading a certificate to the FortiGate using API, the certificate must be provided to the FortiGate in Base64 encoding. You must create a REST API user to authenticate to the FortiGate and use the generated API token in the request.

api/v2/monitor/vpn-certificate/ca/import

{
  "import_method": "[file|scep]",
  "scep_url": "string",
  "scep_ca_id": "string",
  "scope": "[vdom*|global]",
  "file_content": "string"
}

api/v2/monitor/vpn-certificate/crl/import

{
  "scope": "[vdom*|global]",
  "file_content": "string"
}

api/v2/monitor/vpn-certificate/local/import

{
  "type": "[local|pkcs12|regular]",
  "certname": "string",
  "password": "string",
  "key_file_content": "string",
  "scope": "[vdom*|global]",
  "acme-domain": "string",
  "acme-email": "string",
  "acme-ca-url": "string",
  "acme-rsa-key-size": 0,
  "acme-renew-window": 0,
  "file_content": "string"
}

api/v2/monitor/vpn-certificate/remote/import

{
  "scope": "[vdom*|global]",
  "file_content": "string"
}

api/v2/monitor/vpn-certificate/csr/generate

{
  "certname": "string",
  "subject": "string",
  "keytype": "[rsa|ec]",
  "keysize": [1024|1536|2048|4096],
  "curvename": "[secp256r1|secp384r1|secp521r1]",
  "orgunits": [
    "string"
  ],
  "org": "string",
  "city": "string",
  "state": "string",
  "countrycode": "string",
  "email": "string",
  "sub_alt_name": "string",
  "password": "string",
  "scep_url": "string",
  "scep_password": "string",
  "scope": "[vdom*|global]"
}

Example

In this example, a PKCS 12 certificate is uploaded as a local certificate using Postman as the API client. PowerShell is used for the Base64 encoding.

To upload a PKCS 12 certificate using an API:
  1. In PowerShell , encode the PKCS 12 certificate to Base64:
    cd C:\users\username\desktop
    $pkcs12cert = get-content 'C:\users\path\to\certificate\certificatename.p12' -Encoding Byte
    [System.Convert]::ToBase64String($pkcs12cert) | Out-File ‘base12encodedcert.txt’

    These three lines of code do the following:

    1. Changes to working directory to the location where the encoded certificate will be created. In this example, it is the desktop.

    2. Creates a variable called pkcs12cert and defines it as the certificate file by specifying the full path to the certificate.

    3. Creates a text file called base12encodedcert at the location specified in the first step. You will copy and paste the contents of this as file_content later in Postman.

  2. Generate an API token on the FortiGate by creating a REST API user. See Generate an API token on the Fortinet Developer Network. A subscription to the Fortinet Developer Network is required to view this topic.
  3. Open Postman and create a new request:
    1. Click the +.
    2. Click the Authorization tab and in the Type dropdown, select API Key.
    3. For Key, enter access_token and enter the Value for the API user.
    4. For Add to, select Query Params.

  4. In the HTTP request dropdown, change the request from GET to POST, and enter the FortiGate’s IP address and the URL of the API call.
  5. Click the Body tab, and copy and paste the API parameters.

  6. Remove unnecessary parameters (ACME related parameters and key_file_content) and enter the correct settings for your certificate. Copy and paste the contents of the file generated by PowerShell earlier into file_content.

  7. Click Send. The lower window will return the results.
  8. In FortiOS, go to System > Certificates and verify that the uploaded certificate is shown in the table (api_crt).

To debug using the HTTPS daemon:
# diagnose debug reset
# diagnose debug enable
# diagnose debug application httpsd -1
<output>
# diagnose debug disable

Uploading a certificate using an API

There are several API methods to upload a certificate based on the type and purpose of the certificate. The parameters of each method are available options, and some methods do not require all parameters to upload the certificate.

When uploading a certificate to the FortiGate using API, the certificate must be provided to the FortiGate in Base64 encoding. You must create a REST API user to authenticate to the FortiGate and use the generated API token in the request.

api/v2/monitor/vpn-certificate/ca/import

{
  "import_method": "[file|scep]",
  "scep_url": "string",
  "scep_ca_id": "string",
  "scope": "[vdom*|global]",
  "file_content": "string"
}

api/v2/monitor/vpn-certificate/crl/import

{
  "scope": "[vdom*|global]",
  "file_content": "string"
}

api/v2/monitor/vpn-certificate/local/import

{
  "type": "[local|pkcs12|regular]",
  "certname": "string",
  "password": "string",
  "key_file_content": "string",
  "scope": "[vdom*|global]",
  "acme-domain": "string",
  "acme-email": "string",
  "acme-ca-url": "string",
  "acme-rsa-key-size": 0,
  "acme-renew-window": 0,
  "file_content": "string"
}

api/v2/monitor/vpn-certificate/remote/import

{
  "scope": "[vdom*|global]",
  "file_content": "string"
}

api/v2/monitor/vpn-certificate/csr/generate

{
  "certname": "string",
  "subject": "string",
  "keytype": "[rsa|ec]",
  "keysize": [1024|1536|2048|4096],
  "curvename": "[secp256r1|secp384r1|secp521r1]",
  "orgunits": [
    "string"
  ],
  "org": "string",
  "city": "string",
  "state": "string",
  "countrycode": "string",
  "email": "string",
  "sub_alt_name": "string",
  "password": "string",
  "scep_url": "string",
  "scep_password": "string",
  "scope": "[vdom*|global]"
}

Example

In this example, a PKCS 12 certificate is uploaded as a local certificate using Postman as the API client. PowerShell is used for the Base64 encoding.

To upload a PKCS 12 certificate using an API:
  1. In PowerShell , encode the PKCS 12 certificate to Base64:
    cd C:\users\username\desktop
    $pkcs12cert = get-content 'C:\users\path\to\certificate\certificatename.p12' -Encoding Byte
    [System.Convert]::ToBase64String($pkcs12cert) | Out-File ‘base12encodedcert.txt’

    These three lines of code do the following:

    1. Changes to working directory to the location where the encoded certificate will be created. In this example, it is the desktop.

    2. Creates a variable called pkcs12cert and defines it as the certificate file by specifying the full path to the certificate.

    3. Creates a text file called base12encodedcert at the location specified in the first step. You will copy and paste the contents of this as file_content later in Postman.

  2. Generate an API token on the FortiGate by creating a REST API user. See Generate an API token on the Fortinet Developer Network. A subscription to the Fortinet Developer Network is required to view this topic.
  3. Open Postman and create a new request:
    1. Click the +.
    2. Click the Authorization tab and in the Type dropdown, select API Key.
    3. For Key, enter access_token and enter the Value for the API user.
    4. For Add to, select Query Params.

  4. In the HTTP request dropdown, change the request from GET to POST, and enter the FortiGate’s IP address and the URL of the API call.
  5. Click the Body tab, and copy and paste the API parameters.

  6. Remove unnecessary parameters (ACME related parameters and key_file_content) and enter the correct settings for your certificate. Copy and paste the contents of the file generated by PowerShell earlier into file_content.

  7. Click Send. The lower window will return the results.
  8. In FortiOS, go to System > Certificates and verify that the uploaded certificate is shown in the table (api_crt).

To debug using the HTTPS daemon:
# diagnose debug reset
# diagnose debug enable
# diagnose debug application httpsd -1
<output>
# diagnose debug disable