Automated SSL certificate renewal for Fortinet FortiGate

FortiGate won't update a renewed certificate on its own. CertKit will.

A FortiGate uses certificates in several places: the admin GUI, the SSL VPN portal, IPSec (IKEv2) VPN, and the WiFi captive portal. When a certificate renews, none of those bindings refresh until someone imports the new certificate through FortiOS, re-selects it on each service, and saves. Every 47 days. On every FortiGate you manage.

CertKit centralizes certificate issuance and renewal, then pushes the renewed certificate to your FortiGate devices automatically via the CertKit Agent and the FortiOS REST API, and binds it to whichever service you choose.

Start free trial Watch demo

Built for FortiGate

Pre-built templates for the admin GUI, SSL VPN, IPSec, and captive portal ship in your CertKit account. No scripting required.

CertKit renews your FortiGate certificate for you. On every renewal it imports the new certificate and its CA chain, binds it to the service you picked, and removes the old certificate. No console clicks, no manual import, no maintenance window to schedule.

Pre-built templates for each binding ship with your CertKit account. Point CertKit at your firewall once and it handles every renewal after that. If you want to see or adjust exactly what runs, the full deployment script is right there in your account.

How it works

 Your network            CertKit                 ACME CA
┌───────────────────┐     ┌──────────────────┐    ┌─────────────┐
│  ┌─────────────┐  │     │                  │    │             │
│  │Deploy Agent │◄─┼─────┤  Issue & Renew   │◄──►│             │
│  └──┬────┬─────┘  │     │   Certificates   │    │             │
│     │    │FortiOS │     │                ┌───┐  └─────────────┘
│     │    │ REST   │     └───────────┬────│DNS│
│     ▼    ▼        │                 │    └───┘
│ ┌──────────────┐  │                 │
│ │ FortiGate    │  │                 │
│ │ [x] Imported │  │ ◄───────────────┘
│ │ [x] Bound    │  │       Verify
│ └──────────────┘  │
└───────────────────┘

CertKit issues and renews certificates centrally in the cloud using delegated DNS validation. You create a one-time CNAME record; CertKit handles every ACME challenge after that.

The deploy agent is a small service you run on a server inside your network. It makes an outbound HTTPS connection to CertKit to pull each renewed certificate, then connects to the FortiGate over the FortiOS REST API on your LAN to import the certificate, bind it to the service you chose, and remove superseded certificates. The firewall never talks to CertKit or the public internet directly, never runs ACME, needs no port 80 open, and never stores DNS credentials. One deploy agent can reach every FortiGate and other appliance on that network, so there's nothing to install on the firewalls themselves.

CertKit makes what many companies struggle with much easier to manage while at the same time providing great value compared to the traditional vendors in the space.

Ben Story, Managed Services Director, RedEye Network Solutions

Four places FortiGate uses a certificate

FortiGate doesn't have one certificate, it has several, each bound to a different service through a different part of the FortiOS API. CertKit ships a pre-built template for each. Pick the ones you use; the rest stay untouched.

Admin GUI system global, admin-server-cert SSL VPN vpn.ssl settings, servercert IPSec VPN phase1-interface certificate WiFi captive portal user setting, auth-cert

What CertKit handles

Issue certificates via ACME, centrally. Your firewalls have no ACME configuration, no open ports, no public DNS credentials. One CNAME record is all your domain contributes.
Renew automatically before expiry. That one-time CNAME covers every renewal challenge going forward. No intervention required on any device.
Import the certificate and chain over the FortiOS REST API. The CertKit Agent authenticates with a REST API admin token, uploads the renewed certificate and key in PEM format, and imports each intermediate CA in the chain separately, skipping any the firewall already holds.
Bind to the service you choose. Admin GUI, SSL VPN, IPSec (IKEv2) VPN, or WiFi captive portal. Each binding is a separate template, so you deploy only the ones a given firewall actually uses.
Work in global or VDOM scope. Tell CertKit whether the certificate lives in the global configuration or inside a specific VDOM, and the deployment targets the right scope on a multi-tenant FortiGate.
Use deterministic, prefixed names. CertKit names each certificate certkit_ plus an ID and thumbprint, so the same renewal is never imported twice and its certificates are easy to spot in the store.
Clean up old certificates. After the new certificate is bound, CertKit removes the superseded certkit_ certificates. If one is still referenced by another service, it's left in place rather than forced, so a delete never breaks an unrelated binding.
Work with self-signed admin certificates. The agent reaches the FortiOS REST API over HTTPS and tolerates the default self-signed admin certificate that most FortiGates ship with.
Deploy in your maintenance window. Swapping a firewall's certificate briefly affects the bound service. Schedule a deployment window per device so renewals roll out at 2am Sunday, not during the workday when users would notice.
Verify the deployment, not just the script. After each renewal, CertKit connects to your firewall's published service and confirms the new certificate is actually being served. It checks the serial number, SANs, and expiry. If something is wrong, you find out before your users do.
Alert on failure. Deployment failures, bind errors, verification mismatches, and upcoming expirations all generate alerts before they become incidents.
Audit every change. Every issuance, renewal, and deployment is logged with timestamp, certificate, and device. With certificate lifetimes heading to 47 days, that log is your compliance record.

Setup takes about ten minutes

Connect your domain. Add a one-time CNAME record to delegate DNS validation to CertKit. Every renewal challenge after that is automatic.
Create a REST API admin. Under System → Administrators, create a REST API admin and grant its profile the permissions the binding needs, for example VPN and User & Device read/write for the captive portal. CertKit authenticates with the token, not a password.
Install the CertKit Agent. One command on any Windows or Linux host with HTTPS reachability to the firewall. The agent runs as a background service and needs no inbound firewall rules.
Add the FortiGate deployment script. Choose the template for the service you're securing, set your firewall hostname, scope, and API token. CertKit runs it on every renewal.

See the full architecture →

Why not import certificates manually?

The standard FortiOS renewal workflow is a GUI sequence: import the certificate under System → Certificates, then re-select it on the admin settings, the SSL VPN portal, each IPSec VPN, or the captive portal. That works once. Run it manually on a fleet of FortiGate firewalls, across every service that uses a certificate, every 47 days, and it becomes a source of outages, missed bindings, and expired portals discovered when a remote worker can't connect.

Running ACME directly on a firewall isn't really an option. Public CAs require HTTP-01 or DNS-01 validation, and neither is appropriate for a hardened security appliance. Storing DNS provider credentials on a firewall is a privilege escalation waiting to happen. Opening port 80 to the public on a perimeter device is worse.

The FortiOS API itself is fiddly: token auth, PEM imports with the CA chain split out and imported certificate by certificate, global versus VDOM scope, and a different binding endpoint for every service. We built and tested the deployment for each one so you don't have to. CertKit issues the certificate via delegated DNS validation, then the agent handles the import, the binding, and the cleanup as one verified step, with no ACME client on the firewall.

FortiGate is just one part of your network edge

Most networks have more than one place where TLS certificates live: F5 load balancers, VPN concentrators, web servers, and other firewall vendors like Palo Alto and SonicWall. CertKit automates all of it from one account.

See all integrations

Start automating FortiGate certificates today

Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.

Start free trial See pricing