Topic Thread

[OCI] Generate custom certificates for API calls in OCI

  • 1.  [OCI] Generate custom certificates for API calls in OCI

    Posted 11-08-2018 07:55

    Following this article on "how to configure OCI SDN connector", it is not explained how we get the custom certificate for the API or the way to retrieve the public_key.pem file from the Fortinet_Factory.cer certificate. It appeared it was not so simple when you do not know the proper commands. 

    - If you simply want to retrieve the public_key.pem out from the Fortinet_factory.cer file, please use the following debug command on the fortigate Cli:
    #diag oci pubkey <connector name> 

    - If you want to create a custom certificate for that purpose:
    1. generate .pem private key for OCI on any linux device (Ex: your own linux PC)
    #openssl genrsa -out oci_api_key.pem -aes128 2048 

    2. generate public key .pem from that private key file
    #openssl rsa -pubout -in oci_api_key.pem -out oci_api_key_public.pem
    => you now have all the keys for OCI. Let's get the useful certificate file for your FortiGate.

    3. extract the private key oci_api_key.key from the .pem private key. This file is required to import local certificate on FGT. 
    #openssl rsa -check -inform PEM -in oci_api_key.pem -out oci_api_key.key

    4. Now use this private key .key file to create the corresponding x509 .crt certificate file required by the FGT
    #openssl req -new -x509 -key oci_api_key.key > oci_key_crt.crt

    => That's it !

    You now have the "oci_api_key_public.pem" to upload to the user's public key profile. And the key "oci_api_key.key" and certificate x509 "oci_key_crt.crt" to import from the Fortigate > system > certificates > import > local Certificate. 


    Emmanuel [LastName] [Designation]
    [City] [State]