Fortinet black logo

CLI Reference

execute certificate local import automated

execute certificate local import automated

Use this command to import local certificates using the ACME protocol to get SSL/TLS certificates from Let's Encrypt or other ACME providers.

As part of the certificate importing functionality, FortiADC supports the Automatic Certificate Management Environment (ACME) protocol for automating the interactions between certificate authorities (CAs) and their users' web servers.

Before you begin:
  • You must have Read-Write permission for System settings.

Syntax

execute certificate local import automated <cert_name> <domain> <email> <key_type> {<key_size>|<curve_name>} <password> <server_url> <ca_group> <challenge_wait>

Execute Parameter

Description

<cert_name>

Specify the certificate name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.

<domain>

Specify the web server domain to be protected by the certificate.

<email>

Enter the email address that will receive notifications regarding the status of the certificate.

Depending on which ACME service provider you use, you may receive notification for when the certificate request has been approved through the Certificated Services or when the certificate is due to expire.

<key_type>

Select either of the following key types:

  • RSA
  • ECDSA

<key_size>

Specify the key_size if the key_type is RSA.

Select one of the following key sizes:

  • 2048

  • 3072

  • 4096

<curve_name>

Specify the curve_name if the key_type is ECDSA.

Select one of the following curve names:

  • P256

  • P384

  • P521

<password>

Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC. Enter null if there is no password.

<server_url>

To use Let's Encrypt as the ACME provider, enter null as the server_url.

To use other ACME providers, such as Buypass AS, specify the URL of the ACME server. The ACME request URL must begin with "https://".

After you have obtained the ACME certificate from your chosen ACME service provider, you will need to provide the ACME server URL to connect to FortiADC. This will enable FortiADC to act as the ACME client to send the ACME request and receive the ACME certificate/key.

Note: The ACME server URL is unique to the ACME service provider. Please refer to the documentation from your ACME provider for further information.

<ca_group>

Specify the name of the CA Group. FortiADC will use the CA certificate in the CA Group to verify the certificate sent by the ACME provider. Enter null to not verify.

<challenge_wait>

Specify the ACME DNS-01 challenge wait time in minutes. (Range: 1-1440 minutes).

The ACME DNS-01 challenge wait time refers to the amount of time you will have to fulfill the DNS-01 challenge. A longer challenge wait time is recommended to ensure enough time is allotted to perform the required Public DNS configuration changes and for the changes to take effect.

Example

FortiADC # execute certificate local import automated ACME-test test.com test@fortinet.com RSA 2048 null null null 3

Done.

Fulfilling the ACME DNS-01 challenge

The DNS-01 challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name.

After you have executed the CLI command to import your automated local certificate, the ACME DNS challenge information is generated. With this information, you will configure your Public DNS Service to create the TXT record.

Certificates generated by the ACME DNS-01 challenge cannot be renewed automatically. Please manually renew the certificate before it expires.

To add the record the DNS challenge information to the Public DNS Service:
  1. Obtain the ACME DNS challenge information using either of the following methods.
    • After you have executed the CLI command to import your automated local certificate, you will be shown the challenge information. Save this information for use later.
    • If you missed the above information in the CLI, then you can view the information in the GUI.
      In the Local Certificate page, locate the local certificate record and click the (View icon) to see the details.
  2. Login to your DNS service provider and go to your DNS Domain management page.
  3. Add a record and input the challenge information into the corresponding fields.

    Name_ACME-CHALLENGE is a fixed value.
    TypeSet the record type as TXT.
    TTLSet this to the default value.
    TargetPaste the content from your ACME DNS-01 challenge information.
  4. Save the changes.
    The DNS configuration changes may take several minutes to take effect.

The ACME provider will then query the DNS system for that record to find a match. If there is a match, the ACME certificate passes validation (certificate status will progress from Pending → OK). However, if the record is not found within the specified challenge wait time then the certificate validation fails (certificate status is Fail).

If the certificate validation fails, then you will need to delete the record and import a new automated local certificate to try again.

It is recommended to set a longer challenge wait time to allow enough time for the DNS configuration changes to take effect. If the DNS configuration changes has not taken effect at the time the ACME provider queries the DNS system for the TXT record, then the validation will fail. Various factors may influence the speed of the DNS (such as the DNS service provider, network speed, network traffic), so the DNS configuration changes may take as long as 20 minutes to take effect.

execute certificate local import automated

Use this command to import local certificates using the ACME protocol to get SSL/TLS certificates from Let's Encrypt or other ACME providers.

As part of the certificate importing functionality, FortiADC supports the Automatic Certificate Management Environment (ACME) protocol for automating the interactions between certificate authorities (CAs) and their users' web servers.

Before you begin:
  • You must have Read-Write permission for System settings.

Syntax

execute certificate local import automated <cert_name> <domain> <email> <key_type> {<key_size>|<curve_name>} <password> <server_url> <ca_group> <challenge_wait>

Execute Parameter

Description

<cert_name>

Specify the certificate name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.

<domain>

Specify the web server domain to be protected by the certificate.

<email>

Enter the email address that will receive notifications regarding the status of the certificate.

Depending on which ACME service provider you use, you may receive notification for when the certificate request has been approved through the Certificated Services or when the certificate is due to expire.

<key_type>

Select either of the following key types:

  • RSA
  • ECDSA

<key_size>

Specify the key_size if the key_type is RSA.

Select one of the following key sizes:

  • 2048

  • 3072

  • 4096

<curve_name>

Specify the curve_name if the key_type is ECDSA.

Select one of the following curve names:

  • P256

  • P384

  • P521

<password>

Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC. Enter null if there is no password.

<server_url>

To use Let's Encrypt as the ACME provider, enter null as the server_url.

To use other ACME providers, such as Buypass AS, specify the URL of the ACME server. The ACME request URL must begin with "https://".

After you have obtained the ACME certificate from your chosen ACME service provider, you will need to provide the ACME server URL to connect to FortiADC. This will enable FortiADC to act as the ACME client to send the ACME request and receive the ACME certificate/key.

Note: The ACME server URL is unique to the ACME service provider. Please refer to the documentation from your ACME provider for further information.

<ca_group>

Specify the name of the CA Group. FortiADC will use the CA certificate in the CA Group to verify the certificate sent by the ACME provider. Enter null to not verify.

<challenge_wait>

Specify the ACME DNS-01 challenge wait time in minutes. (Range: 1-1440 minutes).

The ACME DNS-01 challenge wait time refers to the amount of time you will have to fulfill the DNS-01 challenge. A longer challenge wait time is recommended to ensure enough time is allotted to perform the required Public DNS configuration changes and for the changes to take effect.

Example

FortiADC # execute certificate local import automated ACME-test test.com test@fortinet.com RSA 2048 null null null 3

Done.

Fulfilling the ACME DNS-01 challenge

The DNS-01 challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name.

After you have executed the CLI command to import your automated local certificate, the ACME DNS challenge information is generated. With this information, you will configure your Public DNS Service to create the TXT record.

Certificates generated by the ACME DNS-01 challenge cannot be renewed automatically. Please manually renew the certificate before it expires.

To add the record the DNS challenge information to the Public DNS Service:
  1. Obtain the ACME DNS challenge information using either of the following methods.
    • After you have executed the CLI command to import your automated local certificate, you will be shown the challenge information. Save this information for use later.
    • If you missed the above information in the CLI, then you can view the information in the GUI.
      In the Local Certificate page, locate the local certificate record and click the (View icon) to see the details.
  2. Login to your DNS service provider and go to your DNS Domain management page.
  3. Add a record and input the challenge information into the corresponding fields.

    Name_ACME-CHALLENGE is a fixed value.
    TypeSet the record type as TXT.
    TTLSet this to the default value.
    TargetPaste the content from your ACME DNS-01 challenge information.
  4. Save the changes.
    The DNS configuration changes may take several minutes to take effect.

The ACME provider will then query the DNS system for that record to find a match. If there is a match, the ACME certificate passes validation (certificate status will progress from Pending → OK). However, if the record is not found within the specified challenge wait time then the certificate validation fails (certificate status is Fail).

If the certificate validation fails, then you will need to delete the record and import a new automated local certificate to try again.

It is recommended to set a longer challenge wait time to allow enough time for the DNS configuration changes to take effect. If the DNS configuration changes has not taken effect at the time the ACME provider queries the DNS system for the TXT record, then the validation will fail. Various factors may influence the speed of the DNS (such as the DNS service provider, network speed, network traffic), so the DNS configuration changes may take as long as 20 minutes to take effect.