https://github.com/keyfactor/fortigate-orchestrator

This integration is used to inventory and manage certificates in Fortigate.
https://github.com/keyfactor/fortigate-orchestrator

keyfactor-integration keyfactor-universal-orchestrator

Last synced: 2 months ago
JSON representation

This integration is used to inventory and manage certificates in Fortigate.

• Host: GitHub
• URL: https://github.com/keyfactor/fortigate-orchestrator
• Owner: Keyfactor
• License: apache-2.0
• Created: 2023-01-26T21:03:00.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2025-03-24T13:46:02.000Z (3 months ago)
• Last Synced: 2025-03-24T14:37:36.790Z (3 months ago)
• Topics: keyfactor-integration, keyfactor-universal-orchestrator
• Language: C#
• Homepage:
• Size: 173 KB
• Stars: 0
• Watchers: 3
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE

Awesome Lists containing this project

README

        


    Fortigate Universal Orchestrator Extension





  













  

  

    Support

  

  ·

  

    Installation

  

  ·

  

    License

  

  ·

  

    Related Integrations

  



## Overview

The Fortigate Orchestrator Extension supports the following use cases:

1. Inventory of local user and factory cerificates

2. Ability to add new local certificates

3. Ability to renew **unbound** local user certificates

4. Ability to delete **unbound** local user certificates

The Fortigate Orchestrator Extension DOES NOT support the following use cases:

1. The renewal or removal of certificates enrolled through the internal Fortigate CA

2. The renewal or removal of factory certificates

3. The renewal or removal of ANY certificate bound to a Fortigate object

4. Certificate enrollment using the internal Fortigate CA (Keyfactor's "reenrollment" or "on device key generation" use case)

## Compatibility

This integration is compatible with Keyfactor Universal Orchestrator version 10.1 and later.

## Support

The Fortigate Universal Orchestrator extension is open source and community supported, meaning that there is **no SLA** applicable. 

 

> To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.

## Requirements & Prerequisites

Before installing the Fortigate Universal Orchestrator extension, we recommend that you install [kfutil](https://github.com/Keyfactor/kfutil). Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command.

The Fortigate Orchestrator Extension requires an API token be created in the Fortigate environment being managed.  Please review the following [instructions](https://docs.fortinet.com/document/forticonverter/7.0.1/online-help/866905/connect-fortigate-device-via-api-token) for creating an API token to be used in this integration.

## Create the Fortigate Certificate Store Type

To use the Fortigate Universal Orchestrator extension, you **must** create the Fortigate Certificate Store Type. This only needs to happen _once_ per Keyfactor Command instance.

* **Create Fortigate using kfutil**:

    ```shell

    # Fortigate

    kfutil store-types create Fortigate

    ```

* **Create Fortigate manually in the Command UI**:

    Create Fortigate manually in the Command UI

    Create a store type called `Fortigate` with the attributes in the tables below:

    #### Basic Tab

    | Attribute | Value | Description |

    | --------- | ----- | ----- |

    | Name | Fortigate | Display name for the store type (may be customized) |

    | Short Name | Fortigate | Short display name for the store type |

    | Capability | Fortigate | Store type name orchestrator will register with. Check the box to allow entry of value |

    | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |

    | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |

    | Supports Discovery | 🔲 Unchecked |  Indicates that the Store Type supports Discovery |

    | Supports Reenrollment | 🔲 Unchecked |  Indicates that the Store Type supports Reenrollment |

    | Supports Create | 🔲 Unchecked |  Indicates that the Store Type supports store creation |

    | Needs Server | 🔲 Unchecked | Determines if a target server name is required when creating store |

    | Blueprint Allowed | ✅ Checked | Determines if store type may be included in an Orchestrator blueprint |

    | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |

    | Requires Store Password | ✅ Checked | Enables users to optionally specify a store password when defining a Certificate Store. |

    | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. |

    The Basic tab should look like this:

    ![Fortigate Basic Tab](docsource/images/Fortigate-basic-store-type-dialog.png)

    #### Advanced Tab

    | Attribute | Value | Description |

    | --------- | ----- | ----- |

    | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |

    | Private Key Handling | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |

    | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |

    The Advanced tab should look like this:

    ![Fortigate Advanced Tab](docsource/images/Fortigate-advanced-store-type-dialog.png)

    #### Custom Fields Tab

    Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:

    | Name | Display Name | Description | Type | Default Value/Options | Required |

    | ---- | ------------ | ---- | --------------------- | -------- | ----------- |

    The Custom Fields tab should look like this:

    ![Fortigate Custom Fields Tab](docsource/images/Fortigate-custom-fields-store-type-dialog.png)

    

## Installation

1. **Download the latest Fortigate Universal Orchestrator extension from GitHub.** 

    Navigate to the [Fortigate Universal Orchestrator extension GitHub version page](https://github.com/Keyfactor/fortigate-orchestrator/releases/latest). Refer to the compatibility matrix below to determine whether the `net6.0` or `net8.0` asset should be downloaded. Then, click the corresponding asset to download the zip archive.

    | Universal Orchestrator Version | Latest .NET version installed on the Universal Orchestrator server | `rollForward` condition in `Orchestrator.runtimeconfig.json` | `fortigate-orchestrator` .NET version to download |

    | --------- | ----------- | ----------- | ----------- |

    | Older than `11.0.0` | | | `net6.0` |

    | Between `11.0.0` and `11.5.1` (inclusive) | `net6.0` | | `net6.0` | 

    | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `Disable` | `net6.0` | 

    | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `LatestMajor` | `net8.0` | 

    | `11.6` _and_ newer | `net8.0` | | `net8.0` |

    Unzip the archive containing extension assemblies to a known location.

    > **Note** If you don't see an asset with a corresponding .NET version, you should always assume that it was compiled for `net6.0`.

2. **Locate the Universal Orchestrator extensions directory.**

    * **Default on Windows** - `C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions`

    * **Default on Linux** - `/opt/keyfactor/orchestrator/extensions`

    

3. **Create a new directory for the Fortigate Universal Orchestrator extension inside the extensions directory.**

        

    Create a new directory called `fortigate-orchestrator`.

    > The directory name does not need to match any names used elsewhere; it just has to be unique within the extensions directory.

4. **Copy the contents of the downloaded and unzipped assemblies from __step 2__ to the `fortigate-orchestrator` directory.**

5. **Restart the Universal Orchestrator service.**

    Refer to [Starting/Restarting the Universal Orchestrator service](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/StarttheService.htm).

6. **(optional) PAM Integration** 

    The Fortigate Universal Orchestrator extension is compatible with all supported Keyfactor PAM extensions to resolve PAM-eligible secrets. PAM extensions running on Universal Orchestrators enable secure retrieval of secrets from a connected PAM provider.

    To configure a PAM provider, [reference the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) to select an extension, and follow the associated instructions to install it on the Universal Orchestrator (remote).

> The above installation steps can be supplimented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions).

## Defining Certificate Stores

* **Manually with the Command UI**

    Create Certificate Stores manually in the UI

    1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.**

        Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_.

    2. **Add a Certificate Store.**

        Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.

        | Attribute | Description |

        | --------- | ----------- |

        | Category | Select "Fortigate" or the customized certificate store name from the previous step. |

        | Container | Optional container to associate certificate store with. |

        | Client Machine | The IP address or DNS of the Fortigate server |

        | Store Path | This is not used in this integration, but is a required field in the UI. Just enter any value here |

        | Orchestrator | Select an approved orchestrator capable of managing `Fortigate` certificates. Specifically, one with the `Fortigate` capability. |

        | Store Password | Enter the Fortigate API Token here |

        

        Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator

        If a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_.

        | Attribute | Description |

        | --------- | ----------- |

        | Store Password | Enter the Fortigate API Token here |

        Please refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.

        > Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself. 

        

        

    

* **Using kfutil**

    

    Create Certificate Stores with kfutil

    

    1. **Generate a CSV template for the Fortigate certificate store**

        ```shell

        kfutil stores import generate-template --store-type-name Fortigate --outpath Fortigate.csv

        ```

    2. **Populate the generated CSV file**

        Open the CSV file, and reference the table below to populate parameters for each **Attribute**.

        | Attribute | Description |

        | --------- | ----------- |

        | Category | Select "Fortigate" or the customized certificate store name from the previous step. |

        | Container | Optional container to associate certificate store with. |

        | Client Machine | The IP address or DNS of the Fortigate server |

        | Store Path | This is not used in this integration, but is a required field in the UI. Just enter any value here |

        | Orchestrator | Select an approved orchestrator capable of managing `Fortigate` certificates. Specifically, one with the `Fortigate` capability. |

        | Store Password | Enter the Fortigate API Token here |

        

        Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator

        If a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_.

        | Attribute | Description |

        | --------- | ----------- |

        | Store Password | Enter the Fortigate API Token here |

        > Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself. 

        

        

    3. **Import the CSV file to create the certificate stores** 

        ```shell

        kfutil stores import csv --store-type-name Fortigate --file Fortigate.csv

        ```

    

> The content in this section can be supplimented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).

## License

Apache License 2.0, see [LICENSE](LICENSE).

## Related Integrations

See all [Keyfactor Universal Orchestrator extensions](https://github.com/orgs/Keyfactor/repositories?q=orchestrator).