Topic Thread

[OCI] Generate custom certificates for API calls in OCI

  • 1.  [OCI] Generate custom certificates for API calls in OCI

    Posted 6 days ago

    Following this article on "how to configure OCI SDN connector", it is not explained how we get the custom certificate for the API or the way to retrieve the public_key.pem file from the Fortinet_Factory.cer certificate. It appeared it was not so simple when you do not know the proper commands.

    - If you simply want to retrieve the public_key.pem out from the Fortinet_factory.cer file, please use the following debug command on the fortigate Cli:
    #diag oci pubkey <connector name>

    - If you want to create a custom certificate for that purpose:
    1. generate .pem private key for OCI on any linux device (Ex: your own linux PC)
    #openssl genrsa -out oci_api_key.pem -aes128 2048

    2. generate public key .pem from that private key file
    #openssl rsa -pubout -in oci_api_key.pem -out oci_api_key_public.pem
    => you now have all the keys for OCI. Let's get the useful certificate file for your FortiGate.

    3. extract the private key oci_api_key.key from the .pem private key. This file is required to import local certificate on FGT.
    #openssl rsa -check -inform PEM -in oci_api_key.pem -out oci_api_key.key

    4. Now use this private key .key file to create the corresponding x509 .crt certificate file required by the FGT
    #openssl req -new -x509 -key oci_api_key.key > oci_key_crt.crt

    => That's it !

    You now have the "oci_api_key_public.pem" to upload to the user's public key profile. And the key "oci_api_key.key" and certificate x509 "oci_key_crt.crt" to import from the Fortigate > system > certificates > import > local Certificate. 


    Emmanuel [LastName] [Designation]
    [City] [State]