Fortinet Document Library

Version:


Table of Contents

OCI Administration Guide

7.0.0
Download PDF
Copy Link

Using a custom certificate

OCI requires a mechanism to append a certain signature/credential in making API requests. Currently FortiGate uses a certificate to do so. You must specify a certificate on the FortiGate for OCI when configuring A-P HA. The certificate calls APIs to OCI. In the previous deployment step, you used a built-in FortiGate certificate called "Fortinet_Factory".

For greater security, OCI recommends rotating the security element periodically. You may want to change the default certificate after some time, or if you have multiple sets of A-P HA clusters, you may want to use a different certificate for each cluster initially.

This section explains how to replace the certificate. This example uses a self-signed certificate that you created for your organization outside of the FortiGate. For details about the certificates that OCI requires, see Request Signatures.

You need three files:

  • Certificate file (for use on the FortiGate)
  • Key file (for use on the FortiGate)
  • PEM file (for use on OCI)

The signing algorithm must be RSA SHA-256. In this example, you have used an RSA-2048-bit key to create a certificate.

To use a custom certificate:
  1. Import your custom certificate to the primary FortiGate. There is no need to do the same on the secondary unit, as A-P HA enables a feature called configuration synchronization, where the certificate is automatically applied to the secondary unit with the FortiOS configuration:
    1. Log into the primary FortiGate and go to System > Certificates. The list of available FortiGate certificates displays.
    2. Have a pair of the certificate and key files ready on the PC.
    3. Click Import > Local Certificate. In the Import Certificate panel, for Type, select Certificate.
    4. Upload the pair of certificate and key files. In this example, the file names are apache-selfsigned.crt and apache-selfsigned.key, respectively. Enter the password if any, and name the certificate as desired. Click OK.

    5. The certificate displays on the screen. Double-click to show certificate detail.

  2. Edit the OCI SDN connector created earlier. You can do this via the GUI or the CLI.
    1. To edit the SDN connector via the GUI, do the following:
      1. Go to Security Fabric > External Connectors.
      2. Select the Fabric connector, then click Edit.
      3. From the Certificate dropdown list, select the newly created certificate.
      4. Click OK.
    2. To edit the Fabric connector via the CLI, do the following:
      1. Open the CLI console in the FortiGate-VM management console.
      2. Enter CLI commands as follows to point to the new certificate. The show command shows what is currently configured. next and end save the configuration and returns to the original indentation with which you started. Replace oci-sdn with the name you configured for your Fabric connector, and enter the desired certificate name. The example certificate name is jkato-new-cert1.

        config system sdn-connector

        edit oci-sdn

        set oci-cert “your_certificate_name”

        next

        end

        You can see the configuration by running get OCI_connector_name.

  3. Next, you must add a new fingerprint for the user based on the new certificate's PEM. Log into the OCI compute portal and locate the user, which you specified with user-id above.

    1. Select the user and go to API Keys. Click Add Public Key.

    2. Copy and paste the content of the PEM key. Click Add.

    3. You should see that a new fingerprint has been added. You can also see the fingerprint in the CLI by running the get OCI_connector_name command.

  4. Check if you can successfully make API calls by referring to Troubleshooting OCI SDN connector.

Using a custom certificate

OCI requires a mechanism to append a certain signature/credential in making API requests. Currently FortiGate uses a certificate to do so. You must specify a certificate on the FortiGate for OCI when configuring A-P HA. The certificate calls APIs to OCI. In the previous deployment step, you used a built-in FortiGate certificate called "Fortinet_Factory".

For greater security, OCI recommends rotating the security element periodically. You may want to change the default certificate after some time, or if you have multiple sets of A-P HA clusters, you may want to use a different certificate for each cluster initially.

This section explains how to replace the certificate. This example uses a self-signed certificate that you created for your organization outside of the FortiGate. For details about the certificates that OCI requires, see Request Signatures.

You need three files:

  • Certificate file (for use on the FortiGate)
  • Key file (for use on the FortiGate)
  • PEM file (for use on OCI)

The signing algorithm must be RSA SHA-256. In this example, you have used an RSA-2048-bit key to create a certificate.

To use a custom certificate:
  1. Import your custom certificate to the primary FortiGate. There is no need to do the same on the secondary unit, as A-P HA enables a feature called configuration synchronization, where the certificate is automatically applied to the secondary unit with the FortiOS configuration:
    1. Log into the primary FortiGate and go to System > Certificates. The list of available FortiGate certificates displays.
    2. Have a pair of the certificate and key files ready on the PC.
    3. Click Import > Local Certificate. In the Import Certificate panel, for Type, select Certificate.
    4. Upload the pair of certificate and key files. In this example, the file names are apache-selfsigned.crt and apache-selfsigned.key, respectively. Enter the password if any, and name the certificate as desired. Click OK.

    5. The certificate displays on the screen. Double-click to show certificate detail.

  2. Edit the OCI SDN connector created earlier. You can do this via the GUI or the CLI.
    1. To edit the SDN connector via the GUI, do the following:
      1. Go to Security Fabric > External Connectors.
      2. Select the Fabric connector, then click Edit.
      3. From the Certificate dropdown list, select the newly created certificate.
      4. Click OK.
    2. To edit the Fabric connector via the CLI, do the following:
      1. Open the CLI console in the FortiGate-VM management console.
      2. Enter CLI commands as follows to point to the new certificate. The show command shows what is currently configured. next and end save the configuration and returns to the original indentation with which you started. Replace oci-sdn with the name you configured for your Fabric connector, and enter the desired certificate name. The example certificate name is jkato-new-cert1.

        config system sdn-connector

        edit oci-sdn

        set oci-cert “your_certificate_name”

        next

        end

        You can see the configuration by running get OCI_connector_name.

  3. Next, you must add a new fingerprint for the user based on the new certificate's PEM. Log into the OCI compute portal and locate the user, which you specified with user-id above.

    1. Select the user and go to API Keys. Click Add Public Key.

    2. Copy and paste the content of the PEM key. Click Add.

    3. You should see that a new fingerprint has been added. You can also see the fingerprint in the CLI by running the get OCI_connector_name command.

  4. Check if you can successfully make API calls by referring to Troubleshooting OCI SDN connector.