Built for FortiGate
Pre-built templates for the admin GUI, SSL VPN, IPSec, and captive portal ship in your CertKit account. No scripting required.
A FortiGate uses certificates in several places: the admin GUI, the SSL VPN portal, IPSec (IKEv2) VPN, and the WiFi captive portal. When a certificate renews, none of those bindings refresh until someone imports the new certificate through FortiOS, re-selects it on each service, and saves. Every 47 days. On every FortiGate you manage.
CertKit centralizes certificate issuance and renewal, then pushes the renewed certificate to your FortiGate devices automatically via the CertKit Agent and the FortiOS REST API, and binds it to whichever service you choose.
Pre-built templates for the admin GUI, SSL VPN, IPSec, and captive portal ship in your CertKit account. No scripting required.
CertKit renews your FortiGate certificate for you. On every renewal it imports the new certificate and its CA chain, binds it to the service you picked, and removes the old certificate. No console clicks, no manual import, no maintenance window to schedule.
Pre-built templates for each binding ship with your CertKit account. Point CertKit at your firewall once and it handles every renewal after that. If you want to see or adjust exactly what runs, the full deployment script is right there in your account.
Your network CertKit ACME CA ┌───────────────────┐ ┌──────────────────┐ ┌─────────────┐ │ ┌─────────────┐ │ │ │ │ │ │ │Deploy Agent │◄─┼─────┤ Issue & Renew │◄──►│ │ │ └──┬────┬─────┘ │ │ Certificates │ │ │ │ │ │FortiOS │ │ ┌───┐ └─────────────┘ │ │ │ REST │ └───────────┬────│DNS│ │ ▼ ▼ │ │ └───┘ │ ┌──────────────┐ │ │ │ │ FortiGate │ │ │ │ │ [x] Imported │ │ ◄───────────────┘ │ │ [x] Bound │ │ Verify │ └──────────────┘ │ └───────────────────┘
CertKit issues and renews certificates centrally in the cloud using delegated DNS validation. You create a one-time CNAME record; CertKit handles every ACME challenge after that.
The deploy agent is a small service you run on a server inside your network. It makes an outbound HTTPS connection to CertKit to pull each renewed certificate, then connects to the FortiGate over the FortiOS REST API on your LAN to import the certificate, bind it to the service you chose, and remove superseded certificates. The firewall never talks to CertKit or the public internet directly, never runs ACME, needs no port 80 open, and never stores DNS credentials. One deploy agent can reach every FortiGate and other appliance on that network, so there's nothing to install on the firewalls themselves.
CertKit makes what many companies struggle with much easier to manage while at the same time providing great value compared to the traditional vendors in the space.
Ben Story, Managed Services Director, RedEye Network Solutions
FortiGate doesn't have one certificate, it has several, each bound to a different service through a different part of the FortiOS API. CertKit ships a pre-built template for each. Pick the ones you use; the rest stay untouched.
certkit_ plus an ID and thumbprint, so the same
renewal is never imported twice and its certificates are easy to spot in the store.
certkit_
certificates. If one is still referenced by another service, it's left in place rather than
forced, so a delete never breaks an unrelated binding.
The standard FortiOS renewal workflow is a GUI sequence: import the certificate under System → Certificates, then re-select it on the admin settings, the SSL VPN portal, each IPSec VPN, or the captive portal. That works once. Run it manually on a fleet of FortiGate firewalls, across every service that uses a certificate, every 47 days, and it becomes a source of outages, missed bindings, and expired portals discovered when a remote worker can't connect.
Running ACME directly on a firewall isn't really an option. Public CAs require HTTP-01 or DNS-01 validation, and neither is appropriate for a hardened security appliance. Storing DNS provider credentials on a firewall is a privilege escalation waiting to happen. Opening port 80 to the public on a perimeter device is worse.
The FortiOS API itself is fiddly: token auth, PEM imports with the CA chain split out and imported certificate by certificate, global versus VDOM scope, and a different binding endpoint for every service. We built and tested the deployment for each one so you don't have to. CertKit issues the certificate via delegated DNS validation, then the agent handles the import, the binding, and the cleanup as one verified step, with no ACME client on the firewall.
Most networks have more than one place where TLS certificates live: F5 load balancers, VPN concentrators, web servers, and other firewall vendors like Palo Alto and SonicWall. CertKit automates all of it from one account.
Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.