Create a new Fortinet FortiGATE machine¶
Creating a new machine is the initial step in enabling Certificate Manager - SaaS to connect directly to application keystores for certificate management. Once you have created machines, you can move on to provisioning certificates to those machines.
Before you begin¶
- FortiGATE hostname or IP address
- HTTPS management port (default: 443)
- At least one active VSatellite connection
- Minimum required credentials on the FortiGATE device: Choose between API token or username/password authentication.
- API Token authentication (recommended): A valid REST API token with required permissions. Optionally supports mutual TLS (mTLS) with a client certificate as a second factor.
- Username/Password authentication: Valid admin username and password with REST API access.
- A FortiGATE API user with the minimum required permissions to access the REST API:
- Read/Write access to certificate management
- Read/Write access to system configuration
- Read/Write access to firewall VIP configuration
- Read/Write access to VPN configuration
- Read/Write access to firewall SSL-SSH profiles
- (Optional) For multi-VDOM environments, ensure the API user has access to all VDOMs where certificates will be managed
Multi-VDOM support
The FortiGATE integration supports multi-VDOM environments. Discovery automatically detects all VDOMs and certificates in each VDOM are managed independently.
-
Enter the FortiGATE Hostname or IP Address.
-
Enter the HTTPS Management Port. The default port is 443.
-
From the Authentication Method drop-down, select either API Token or Username / Password.
Note
- API Token - Uses a REST API token for authentication. This method supports optional mutual TLS (mTLS) with a client certificate as a second factor.
- Username / Password - Uses session-based authentication with admin credentials.
-
Enter your authentication credentials based on the selected method:
If you selected API Token:
- Enter your FortiGATE API Token in the provided field.
- (Optional) For mutual TLS (mTLS), enter your Client Certificate (PEM, optional mTLS) and Client Private Key (PEM, optional mTLS). The client certificate acts as a second authentication factor when configured on the FortiGATE.
If you selected Username / Password:
-
From the Credential Type drop-down, select either Enter Credentials or Select Credentials. Only users with the enabled "CyberArk shared credential" capability will see this option.
Important
Your view of credentials may be limited due to your role. System Administrators and PKI Administrators should be able to select any credential, but users with the Resource Owner role are limited to only using the credentials associated with their teams.
Note
- Enter Credentials - Is used to enter your admin credentials manually.
- Select Credentials - Is used to select your shared credentials from CyberArk.
- If you choose Enter Credentials, enter your FortiGATE admin Username and Password in the provided fields.
- If you choose Select Credentials, from the Credential drop-down, select your shared credentials.
Warning
Remember to store your username and password securely when creating a new machine. For security reasons, you will not be able to modify the fields under the "Access" tab without these credentials. This ensures that only authorized individuals can modify these fields.
-
(Optional) Toggle Skip TLS Certificate Verification to enabled if your FortiGATE uses a self-signed certificate for its management interface. This option is disabled by default, meaning TLS certificates are verified.
Note
When TLS verification is skipped, the connection is still encrypted but the server certificate is not validated. Only skip verification if your FortiGATE uses a self-signed or untrusted management certificate.
-
Click Test Access, then click Continue. Note that Continue is only enabled if the Test Access is successful.
What's next?¶
Refer back to Create a new machine to finish setting up your new machine by configuring Discovery and Provisioning scheduling.
For existing machines:
- Now that you have one or more machines created, you can provision certificates to those machines.
- You can also discover certificates on machines to enable easy tracking of certificates deployed to your machines.