Support Β· Installation Β· License Β· Related Integrations
The Fortigate Orchestrator Extension supports the following use cases:
- Inventory of local user and factory cerificates
- Ability to add new local certificates
- Ability to replace bound* and unbound local user certificates (usually after renewal in Keyfactor Command)
- Ability to delete unbound local user certificates
The Fortigate Orchestrator Extension DOES NOT support the following use cases:
- The renewal or removal of certificates enrolled through the internal Fortigate CA
- The renewal or removal of factory certificates
- The removal of ANY certificate bound to a Fortigate object
- Certificate enrollment using the internal Fortigate CA (Keyfactor's "reenrollment" or "on device key generation" use case)
* Because the Fortigate API does not allow for updating certificates in place, and to avoid temporary outages, when replacing local certificates that are bound, it is necessary to create a new name (alias) for the certificate. The new name is created using the first 8 characters of the previous name (larger names truncated due to Fortigate name length constraints) allong with a suffix comprised of "--" and a 15 character hash of the current date/time. The replaced certificate with the old name is then removed from the Fortigate instance. For example, a bound certificate with the name "CertName" would be replaced and the name would then be "CertName--8DD76A97A98E4C1". The existing bindings would remain in place with the new name. At no point during the management job would any of the bound objects be left without a valid certificate binding. Currently, the ability to renew bound certificates is limited to these binding types:
- The HTTPS server certificate found under Global, System => Settings
- The VPN server certificate found under Root, VPN => SSL-VPN Settings
This integration is compatible with Keyfactor Universal Orchestrator version 10.1 and later.
The Fortigate Universal Orchestrator extension is community open source and there is no SLA. Keyfactor will address issues as resources become available.
To report a problem or suggest a new feature, use the Issues tab. If you want to contribute bug fixes or additional enhancements, use the Pull requests tab.
Before installing the Fortigate Universal Orchestrator extension, we recommend that you install kfutil. Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command.
The Fortigate Orchestrator Extension requires an API token be created in the Fortigate environment being managed. Please review the following instructions for creating an API token to be used in this integration.
To use the Fortigate Universal Orchestrator extension, you must create the Fortigate Certificate Store Type. This only needs to happen once per Keyfactor Command instance.
| Operation | Is Supported |
|---|---|
| Add | β Checked |
| Remove | β Checked |
| Discovery | π² Unchecked |
| Reenrollment | π² Unchecked |
| Create | π² Unchecked |
kfutil is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
For more information on kfutil check out the docs
Click to expand Fortigate kfutil details
This will reach out to GitHub and pull the latest store-type definition
# Fortigate
kfutil store-types create FortigateIf required, it is possible to create store types from the integration-manifest.json included in this repo. You would first download the integration-manifest.json and then run the following command in your offline environment.
kfutil store-types create --from-file integration-manifest.jsonBelow are instructions on how to create the Fortigate store type manually in the Keyfactor Command Portal
Click to expand manual Fortigate details
Create a store type called Fortigate with the attributes in the tables below:
| Attribute | Value | Description |
|---|---|---|
| Name | Fortigate | Display name for the store type (may be customized) |
| Short Name | Fortigate | Short display name for the store type |
| Capability | Fortigate | Store type name orchestrator will register with. Check the box to allow entry of value |
| Supports Add | β Checked | Check the box. Indicates that the Store Type supports Management Add |
| Supports Remove | β Checked | Check the box. Indicates that the Store Type supports Management Remove |
| Supports Discovery | π² Unchecked | Indicates that the Store Type supports Discovery |
| Supports Reenrollment | π² Unchecked | Indicates that the Store Type supports Reenrollment |
| Supports Create | π² Unchecked | Indicates that the Store Type supports store creation |
| Needs Server | π² Unchecked | Determines if a target server name is required when creating store |
| Blueprint Allowed | β Checked | Determines if store type may be included in an Orchestrator blueprint |
| Uses PowerShell | π² Unchecked | Determines if underlying implementation is PowerShell |
| Requires Store Password | β Checked | Enables users to optionally specify a store password when defining a Certificate Store. |
| Supports Entry Password | π² Unchecked | Determines if an individual entry within a store can have a password. |
The Basic tab should look like this:
| Attribute | Value | Description |
|---|---|---|
| Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |
| Private Key Handling | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
The Advanced tab should look like this:
For Keyfactor Command versions 24.4 and later, a Certificate Format dropdown is available with PFX and PEM options. Ensure that PFX is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.
Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:
| Name | Display Name | Description | Type | Default Value/Options | Required |
|---|
The Custom Fields tab should look like this:
-
Download the latest Fortigate Universal Orchestrator extension from GitHub.
Navigate to the Fortigate Universal Orchestrator extension GitHub version page. Refer to the compatibility matrix below to determine whether the
net6.0ornet8.0asset should be downloaded. Then, click the corresponding asset to download the zip archive.Universal Orchestrator Version Latest .NET version installed on the Universal Orchestrator server rollForwardcondition inOrchestrator.runtimeconfig.jsonfortigate-orchestrator.NET version to downloadOlder than 11.0.0net6.0Between 11.0.0and11.5.1(inclusive)net6.0net6.0Between 11.0.0and11.5.1(inclusive)net8.0Disablenet6.0Between 11.0.0and11.5.1(inclusive)net8.0LatestMajornet8.011.6and newernet8.0net8.0Unzip the archive containing extension assemblies to a known location.
Note If you don't see an asset with a corresponding .NET version, you should always assume that it was compiled for
net6.0. -
Locate the Universal Orchestrator extensions directory.
- Default on Windows -
C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions - Default on Linux -
/opt/keyfactor/orchestrator/extensions
- Default on Windows -
-
Create a new directory for the Fortigate Universal Orchestrator extension inside the extensions directory.
Create a new directory called
fortigate-orchestrator.The directory name does not need to match any names used elsewhere; it just has to be unique within the extensions directory.
-
Copy the contents of the downloaded and unzipped assemblies from step 2 to the
fortigate-orchestratordirectory. -
Restart the Universal Orchestrator service.
Refer to Starting/Restarting the Universal Orchestrator service.
-
(optional) PAM Integration
The Fortigate Universal Orchestrator extension is compatible with all supported Keyfactor PAM extensions to resolve PAM-eligible secrets. PAM extensions running on Universal Orchestrators enable secure retrieval of secrets from a connected PAM provider.
To configure a PAM provider, reference the Keyfactor Integration Catalog to select an extension and follow the associated instructions to install it on the Universal Orchestrator (remote).
The above installation steps can be supplemented by the official Command documentation.
Click to expand details
-
Navigate to the Certificate Stores page in Keyfactor Command.
Log into Keyfactor Command, toggle the Locations dropdown, and click Certificate Stores.
-
Add a Certificate Store.
Click the Add button to add a new Certificate Store. Use the table below to populate the Attributes in the Add form.
Attribute Description Category Select "Fortigate" or the customized certificate store name from the previous step. Container Optional container to associate certificate store with. Client Machine The IP address or DNS of the Fortigate server Store Path This is not used in this integration, but is a required field in the UI. Just enter any value here Store Password Enter the Fortigate API Token here Orchestrator Select an approved orchestrator capable of managing Fortigatecertificates. Specifically, one with theFortigatecapability.
Click to expand details
-
Generate a CSV template for the Fortigate certificate store
kfutil stores import generate-template --store-type-name Fortigate --outpath Fortigate.csv
-
Populate the generated CSV file
Open the CSV file, and reference the table below to populate parameters for each Attribute.
Attribute Description Category Select "Fortigate" or the customized certificate store name from the previous step. Container Optional container to associate certificate store with. Client Machine The IP address or DNS of the Fortigate server Store Path This is not used in this integration, but is a required field in the UI. Just enter any value here Store Password Enter the Fortigate API Token here Orchestrator Select an approved orchestrator capable of managing Fortigatecertificates. Specifically, one with theFortigatecapability. -
Import the CSV file to create the certificate stores
kfutil stores import csv --store-type-name Fortigate --file Fortigate.csv
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator
If a PAM provider was installed on the Universal Orchestrator in the Installation section, the following parameters can be configured for retrieval on the Universal Orchestrator.
| Attribute | Description |
|---|---|
| StorePassword | Enter the Fortigate API Token here |
Please refer to the Universal Orchestrator (remote) usage section (PAM providers on the Keyfactor Integration Catalog) for your selected PAM provider for instructions on how to load attributes orchestrator-side.
Any secret can be rendered by a PAM provider installed on the Keyfactor Command server. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
The content in this section can be supplemented by the official Command documentation.
Apache License 2.0, see LICENSE.