# Transfer CA-Certificate and Cert+Key to a FortiAccesspoint

Before we can start, we need a TFTP Server that is accessible over Port 69 from the accesspoint itself.
All 3 files should be available on the TFTP Server's shared directory. In this example we have this 3 files:

- mydomain-ca.pem
- device-cert.pem
- device-key.pem

The TFTP servers IP-Adress will be this:

- 192.168.55.2

Now we connect to the FortiAP via CLI and use this 3 commands to transfer the 3 files.

```bash
### ca-Certificate
cw_diag -c wan1x get-ca-cert 192.168.55.2 mydomain-ca.pem

### device-Certificate
cw_diag -c wan1x get-client-cert 192.168.55.2 device-cert.pem

### device-Key
cw_diag -c wan1x get-private-key 192.168.55.2 device-key.pem
```

To check if the device is authorized or not, we can use the following command:

```bash
cw_diag -c wan1x
```

The output should look something like this (**Port Status**):

```
WAN port 802.1x supplicant:
    EAP methods : EAP-TLS
    Username    : dummy
    PasswordENC : /PSkn0Jc5b4MeQBAmlMRfU6hsk3BSUR9wvVit0oaUBHoPjWhELAr+f736JosyqMi/InMTA1GXdUaF5D+spFoUx7caAkQYeHmYP3ZCu8nU9w/rqGd3fHiSuH7gPvzL8rk3aj/uaRjVN0/FPMJebAtR5PSzPQC66dLxyoLmJmzX6iIspb7bQl7aHQkMoVOB/qp0SUHbw==
    CA CERT     : Users 
    Client CERT : Users 
    Private Key : Users
    Port Status : Authorized(selected method EAP-TLS)
```