Fortinet black logo

CLI Reference

execute certificate local import automated

execute certificate local import automated

Use this command to import local certificates using the ACME protocol to get SSL/TLS certificates from Let's Encrypt or other ACME providers.

As part of the certificate importing functionality, FortiADC supports the Automatic Certificate Management Environment (ACME) protocol for automating the interactions between certificate authorities (CAs) and their users' web servers.

Certificates imported through Let's Encrypt have a ninety-day lifetime (which may differ from other ACME providers). These certificates must be renewed prior to expiration. FortiADC supports the TLS-ALPN-01 and DNS-01 challenge types. The TLS-ALPN-01 challenge supports automatic certificate renewal. The DNS-01 challenge requires manual certificate renewal, however, only the DNS-01 challenge can issue certificates containing wildcard domain names.

Before you begin:
  • You must have Read-Write permission for System settings.

Syntax

execute certificate local import automated <cert_name> <domain> <email> <key_type> {RSA|ECDSA} <key_size> {<key_size>|<curve_name>} <password> <server_url> <ca_group> <challenge_type> {tls-alpn-01|dns-01} {<renew_win>|<challenge_wait>}

Execute Parameter

Description

<cert_name>

Specify the certificate name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.

Note: If the challenge_type is tls-alpn-01, the cert_name must match the name of the "placeholder" certificate that is linked to the HTTPS virtual server. For details, see Fulfilling the ACME TLS-ALPN-01 challenge.

<domain>

Specify the web server domain to be protected by the certificate.

Note: If the challenge_type is tls-alpn-01, the domain must be from the HTTPS virtual server that is linked to the "placeholder" certificate. For details, see Fulfilling the ACME TLS-ALPN-01 challenge.

<email>

Enter the email address that will receive notifications regarding the status of the certificate.

Depending on which ACME service provider you use, you may receive notification for when the certificate request has been approved through the Certificated Services or when the certificate is due to expire.

<key_type>

Select either of the following key types:

  • RSA
  • ECDSA

Note: If the challenge_type is tls-alpn-01, the key_type must match the key type of the "placeholder" certificate that is linked to the HTTPS virtual server. For details, see Fulfilling the ACME TLS-ALPN-01 challenge.

<key_size>

Specify the key_size if the key_type is RSA.

Select one of the following key sizes:

  • 2048

  • 3072

  • 4096

<curve_name>

Specify the curve_name if the key_type is ECDSA.

Select one of the following curve names:

  • P256

  • P384

  • P521

<password>

Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC. Enter null if there is no password.

<server_url>

To use Let's Encrypt as the ACME provider, enter null as the server_url.

To use other ACME providers, such as Buypass AS, specify the URL of the ACME server. The ACME request URL must begin with "https://".

After you have obtained the ACME certificate from your chosen ACME service provider, you will need to provide the ACME server URL to connect to FortiADC. This will enable FortiADC to act as the ACME client to send the ACME request and receive the ACME certificate/key.

Note: The ACME server URL is unique to the ACME service provider. Please refer to the documentation from your ACME provider for further information.

<ca_group>

Specify the name of the CA Group. FortiADC will use the CA certificate in the CA Group to verify the certificate sent by the ACME provider. Enter null to not verify.

<challenge_type>

The ACME server requires validation that you control the domain names in the certificate using "challenges" as defined by the ACME standard. FortiADC supports the TLS-ALPN-01 and DNS-01 challenge types.

Select either of the following challenge types:

  • tls-alpn-01 — The TLS-ALPN-01 supports automatic certificate renewal. However, this method cannot be used to validate wildcard domains. To use this challenge type, you will need to make preparations to fulfill the challenge before completing the certificate import configurations (for details, see Fulfilling the ACME TLS-ALPN-01 challenge).

  • dns-01 — The DNS-01 challenge can be used to issue certificates containing wildcard domain names. To use this challenge type, you will need to take steps to fulfill the challenge after completing the certificate import configurations (for details, see Fulfilling the ACME DNS-01 challenge). Certificates imported using the DNS-01 challenge need to be manually renewed.

<renew_win>

Specify the renew_win if the challenge_type is tls-alpn-01.

Specify a renew window (in minutes) to automatically renew the certificate before it expires. (Range: 0-43200 minutes). Setting the renew window to 0 will disable the automatic certificate renewal.

<challenge_wait>

Specify the challenge_wait if the challenge_type is dns-01.

Specify the ACME DNS-01 challenge wait time in minutes. (Range: 1-1440 minutes).

The ACME DNS-01 challenge wait time refers to the amount of time you will have to fulfill the DNS-01 challenge. A longer challenge wait time is recommended to ensure enough time is allotted to perform the required Public DNS configuration changes and for the changes to take effect.

For more information, see Fulfilling the ACME DNS-01 challenge.

Example

FortiADC # execute certificate local import automated ACME-test test.com test@fortinet.com RSA 2048 null null null dns-01 3

Done.

FortiADC # execute certificate local import automated ACME-test test.com test@fortinet.com ECDSA P521 null null null tls-alpn-01 15

Done.

Fulfilling the ACME DNS-01 challenge

The DNS-01 challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name.

After you have executed the CLI command to import your automated local certificate, the ACME DNS challenge information is generated. With this information, you will configure your Public DNS Service to create the TXT record.

Certificates generated by the ACME DNS-01 challenge cannot be renewed automatically. Please manually renew the certificate before it expires.

To add the record the DNS challenge information to the Public DNS Service:
  1. Obtain the ACME DNS challenge information using either of the following methods.
    • After you have executed the CLI command to import your automated local certificate, you will be shown the challenge information. Save this information for use later.
    • If you missed the above information in the CLI, then you can view the information in the GUI.
      In the Local Certificate page, locate the local certificate record and click the (View icon) to see the details.
  2. Login to your DNS service provider and go to your DNS Domain management page.
  3. Add a record and input the challenge information into the corresponding fields.

    Name_ACME-CHALLENGE is a fixed value.
    TypeSet the record type as TXT.
    TTLSet this to the default value.
    TargetPaste the content from your ACME DNS-01 challenge information.
  4. Save the changes.
    The DNS configuration changes may take several minutes to take effect.

The ACME provider will then query the DNS system for that record to find a match. If there is a match, the ACME certificate passes validation (certificate status will progress from Pending → OK). However, if the record is not found within the specified challenge wait time then the certificate validation fails (certificate status is Fail).

If the certificate validation fails, then you will need to delete the record and import a new automated local certificate to try again.

It is recommended to set a longer challenge wait time to allow enough time for the DNS configuration changes to take effect. If the DNS configuration changes has not taken effect at the time the ACME provider queries the DNS system for the TXT record, then the validation will fail. Various factors may influence the speed of the DNS (such as the DNS service provider, network speed, network traffic), so the DNS configuration changes may take as long as 20 minutes to take effect.

Fulfilling the ACME TLS-ALPN-01 challenge

In FortiADC, to fulfill the TLS-ALPN-01 challenge, the ACME server validates control of the domain name by connecting to the Virtual Server at one of the addresses resolved for the domain name. This is achieved by linking a certificate to an HTTPS virtual server to allow the ACME server resolving domain to point to its IP. Then FortiADC generates a temporary certificate to fulfill the validation.

Before configuring an automated certificate using the TLS-ALPN-01 challenge, you must set up the following:

  • A valid local certificate that functions as a placeholder

  • An HTTPS virtual server to link the placeholder certificate

Once the placeholder certificate has been linked to the HTTPS virtual server, you will then use the placeholder certificate name and the domain name from the virtual server to import the automated certificate using the TLS-ALPN-01 challenge. This certificate then replaces the placeholder certificate so that it will be linked to the HTTPS virtual server to fulfill the TLS-ALPN-01 challenge.

To prepare the placeholder certificate and HTTPS virtual server for the ACME TLS-ALPN-01 challenge:
  1. Generate or import a local certificate. This certificate must be valid (Status is OK). Ensure the Key Type of this placeholder certificate matches the automated certificate you intend to import. For example, if the placeholder certificate is RSA, then the automated certificate you will be importing must also be RSA. Record the certificate name for use in later steps. For details, see execute certificate local or execute certificate local import automated.
    Note: If importing a local certificate, you should only import the following certificate types: Certificate, PKCS12 Certificate and Local CSR Certificate. As the placeholder certificate must be valid, it is not recommended to use an Automated certificate type for this purpose since this type of certificate cannot be valid until the ACME challenge is fulfilled.
  2. Create a local certificate group and add the placeholder certificate you have created previously under this certificate group. Specify the placeholder certificate as the local certificate configuration. Record the certificate group name for use in later steps. For details, see config system certificate local_cert_group .
  3. Create a Client SSL profile and add the certificate group you have created previously as the local certificate group. Record the Client SSL profile name for use in later steps. For details, see config load-balance client-ssl-profile.
  4. Create an HTTPS virtual server. Apply the Client SSL profile you have created previously. For details, see config load-balance virtual-server.
    The Address of this HTTPS virtual server must be associated to a domain to ensure it can be reached by the ACME provider. It is recommended that this domain be registered at a DNS service provider so you can set the domain to point to a specific IP address. Record the domain for use in later steps.
  5. Import the automated certificate using the TLS-ALPN-01 challenge type.
    Input the information for the following settings according to the guidelines below. For detailed steps, see execute certificate local import automated.

    Setting

    Guideline

    <cert_name>

    The name must match the name of the placeholder certificate. Once this automated certificate configuration is completed, it will replace the placeholder certificate.

    <domain>

    Input the domain of the HTTPS virtual server that has been linked to the placeholder certificate. The ACME provider will reach this domain that points to the HTTPS virtual server IP address.

    <key_type>

    The Key Type must match the placeholder certificate.

execute certificate local import automated

Use this command to import local certificates using the ACME protocol to get SSL/TLS certificates from Let's Encrypt or other ACME providers.

As part of the certificate importing functionality, FortiADC supports the Automatic Certificate Management Environment (ACME) protocol for automating the interactions between certificate authorities (CAs) and their users' web servers.

Certificates imported through Let's Encrypt have a ninety-day lifetime (which may differ from other ACME providers). These certificates must be renewed prior to expiration. FortiADC supports the TLS-ALPN-01 and DNS-01 challenge types. The TLS-ALPN-01 challenge supports automatic certificate renewal. The DNS-01 challenge requires manual certificate renewal, however, only the DNS-01 challenge can issue certificates containing wildcard domain names.

Before you begin:
  • You must have Read-Write permission for System settings.

Syntax

execute certificate local import automated <cert_name> <domain> <email> <key_type> {RSA|ECDSA} <key_size> {<key_size>|<curve_name>} <password> <server_url> <ca_group> <challenge_type> {tls-alpn-01|dns-01} {<renew_win>|<challenge_wait>}

Execute Parameter

Description

<cert_name>

Specify the certificate name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.

Note: If the challenge_type is tls-alpn-01, the cert_name must match the name of the "placeholder" certificate that is linked to the HTTPS virtual server. For details, see Fulfilling the ACME TLS-ALPN-01 challenge.

<domain>

Specify the web server domain to be protected by the certificate.

Note: If the challenge_type is tls-alpn-01, the domain must be from the HTTPS virtual server that is linked to the "placeholder" certificate. For details, see Fulfilling the ACME TLS-ALPN-01 challenge.

<email>

Enter the email address that will receive notifications regarding the status of the certificate.

Depending on which ACME service provider you use, you may receive notification for when the certificate request has been approved through the Certificated Services or when the certificate is due to expire.

<key_type>

Select either of the following key types:

  • RSA
  • ECDSA

Note: If the challenge_type is tls-alpn-01, the key_type must match the key type of the "placeholder" certificate that is linked to the HTTPS virtual server. For details, see Fulfilling the ACME TLS-ALPN-01 challenge.

<key_size>

Specify the key_size if the key_type is RSA.

Select one of the following key sizes:

  • 2048

  • 3072

  • 4096

<curve_name>

Specify the curve_name if the key_type is ECDSA.

Select one of the following curve names:

  • P256

  • P384

  • P521

<password>

Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC. Enter null if there is no password.

<server_url>

To use Let's Encrypt as the ACME provider, enter null as the server_url.

To use other ACME providers, such as Buypass AS, specify the URL of the ACME server. The ACME request URL must begin with "https://".

After you have obtained the ACME certificate from your chosen ACME service provider, you will need to provide the ACME server URL to connect to FortiADC. This will enable FortiADC to act as the ACME client to send the ACME request and receive the ACME certificate/key.

Note: The ACME server URL is unique to the ACME service provider. Please refer to the documentation from your ACME provider for further information.

<ca_group>

Specify the name of the CA Group. FortiADC will use the CA certificate in the CA Group to verify the certificate sent by the ACME provider. Enter null to not verify.

<challenge_type>

The ACME server requires validation that you control the domain names in the certificate using "challenges" as defined by the ACME standard. FortiADC supports the TLS-ALPN-01 and DNS-01 challenge types.

Select either of the following challenge types:

  • tls-alpn-01 — The TLS-ALPN-01 supports automatic certificate renewal. However, this method cannot be used to validate wildcard domains. To use this challenge type, you will need to make preparations to fulfill the challenge before completing the certificate import configurations (for details, see Fulfilling the ACME TLS-ALPN-01 challenge).

  • dns-01 — The DNS-01 challenge can be used to issue certificates containing wildcard domain names. To use this challenge type, you will need to take steps to fulfill the challenge after completing the certificate import configurations (for details, see Fulfilling the ACME DNS-01 challenge). Certificates imported using the DNS-01 challenge need to be manually renewed.

<renew_win>

Specify the renew_win if the challenge_type is tls-alpn-01.

Specify a renew window (in minutes) to automatically renew the certificate before it expires. (Range: 0-43200 minutes). Setting the renew window to 0 will disable the automatic certificate renewal.

<challenge_wait>

Specify the challenge_wait if the challenge_type is dns-01.

Specify the ACME DNS-01 challenge wait time in minutes. (Range: 1-1440 minutes).

The ACME DNS-01 challenge wait time refers to the amount of time you will have to fulfill the DNS-01 challenge. A longer challenge wait time is recommended to ensure enough time is allotted to perform the required Public DNS configuration changes and for the changes to take effect.

For more information, see Fulfilling the ACME DNS-01 challenge.

Example

FortiADC # execute certificate local import automated ACME-test test.com test@fortinet.com RSA 2048 null null null dns-01 3

Done.

FortiADC # execute certificate local import automated ACME-test test.com test@fortinet.com ECDSA P521 null null null tls-alpn-01 15

Done.

Fulfilling the ACME DNS-01 challenge

The DNS-01 challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name.

After you have executed the CLI command to import your automated local certificate, the ACME DNS challenge information is generated. With this information, you will configure your Public DNS Service to create the TXT record.

Certificates generated by the ACME DNS-01 challenge cannot be renewed automatically. Please manually renew the certificate before it expires.

To add the record the DNS challenge information to the Public DNS Service:
  1. Obtain the ACME DNS challenge information using either of the following methods.
    • After you have executed the CLI command to import your automated local certificate, you will be shown the challenge information. Save this information for use later.
    • If you missed the above information in the CLI, then you can view the information in the GUI.
      In the Local Certificate page, locate the local certificate record and click the (View icon) to see the details.
  2. Login to your DNS service provider and go to your DNS Domain management page.
  3. Add a record and input the challenge information into the corresponding fields.

    Name_ACME-CHALLENGE is a fixed value.
    TypeSet the record type as TXT.
    TTLSet this to the default value.
    TargetPaste the content from your ACME DNS-01 challenge information.
  4. Save the changes.
    The DNS configuration changes may take several minutes to take effect.

The ACME provider will then query the DNS system for that record to find a match. If there is a match, the ACME certificate passes validation (certificate status will progress from Pending → OK). However, if the record is not found within the specified challenge wait time then the certificate validation fails (certificate status is Fail).

If the certificate validation fails, then you will need to delete the record and import a new automated local certificate to try again.

It is recommended to set a longer challenge wait time to allow enough time for the DNS configuration changes to take effect. If the DNS configuration changes has not taken effect at the time the ACME provider queries the DNS system for the TXT record, then the validation will fail. Various factors may influence the speed of the DNS (such as the DNS service provider, network speed, network traffic), so the DNS configuration changes may take as long as 20 minutes to take effect.

Fulfilling the ACME TLS-ALPN-01 challenge

In FortiADC, to fulfill the TLS-ALPN-01 challenge, the ACME server validates control of the domain name by connecting to the Virtual Server at one of the addresses resolved for the domain name. This is achieved by linking a certificate to an HTTPS virtual server to allow the ACME server resolving domain to point to its IP. Then FortiADC generates a temporary certificate to fulfill the validation.

Before configuring an automated certificate using the TLS-ALPN-01 challenge, you must set up the following:

  • A valid local certificate that functions as a placeholder

  • An HTTPS virtual server to link the placeholder certificate

Once the placeholder certificate has been linked to the HTTPS virtual server, you will then use the placeholder certificate name and the domain name from the virtual server to import the automated certificate using the TLS-ALPN-01 challenge. This certificate then replaces the placeholder certificate so that it will be linked to the HTTPS virtual server to fulfill the TLS-ALPN-01 challenge.

To prepare the placeholder certificate and HTTPS virtual server for the ACME TLS-ALPN-01 challenge:
  1. Generate or import a local certificate. This certificate must be valid (Status is OK). Ensure the Key Type of this placeholder certificate matches the automated certificate you intend to import. For example, if the placeholder certificate is RSA, then the automated certificate you will be importing must also be RSA. Record the certificate name for use in later steps. For details, see execute certificate local or execute certificate local import automated.
    Note: If importing a local certificate, you should only import the following certificate types: Certificate, PKCS12 Certificate and Local CSR Certificate. As the placeholder certificate must be valid, it is not recommended to use an Automated certificate type for this purpose since this type of certificate cannot be valid until the ACME challenge is fulfilled.
  2. Create a local certificate group and add the placeholder certificate you have created previously under this certificate group. Specify the placeholder certificate as the local certificate configuration. Record the certificate group name for use in later steps. For details, see config system certificate local_cert_group .
  3. Create a Client SSL profile and add the certificate group you have created previously as the local certificate group. Record the Client SSL profile name for use in later steps. For details, see config load-balance client-ssl-profile.
  4. Create an HTTPS virtual server. Apply the Client SSL profile you have created previously. For details, see config load-balance virtual-server.
    The Address of this HTTPS virtual server must be associated to a domain to ensure it can be reached by the ACME provider. It is recommended that this domain be registered at a DNS service provider so you can set the domain to point to a specific IP address. Record the domain for use in later steps.
  5. Import the automated certificate using the TLS-ALPN-01 challenge type.
    Input the information for the following settings according to the guidelines below. For detailed steps, see execute certificate local import automated.

    Setting

    Guideline

    <cert_name>

    The name must match the name of the placeholder certificate. Once this automated certificate configuration is completed, it will replace the placeholder certificate.

    <domain>

    Input the domain of the HTTPS virtual server that has been linked to the placeholder certificate. The ACME provider will reach this domain that points to the HTTPS virtual server IP address.

    <key_type>

    The Key Type must match the placeholder certificate.