Fortinet white logo
Fortinet white logo

CLI Reference

certificate

certificate

Use the following commands to configure certificate related settings.

certificate ca

Use this command to install Certificate Authority (CA) root certificates.

When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the signed local certificate and the Certificate Revocation List (CRL).

The process for obtaining and installing certificates is as follows:
  1. Use the execute certificate local generate command to generate a CSR.
  2. Send the CSR to a CA. he CA sends you the CA certificate, the signed local certificate and the CRL.
  3. Use the system certificate local command to install the signed local certificate.
  4. Use the system certificate ca command to install the CA certificate. Depending on your terminal software, you can copy the certificate and paste it into the command.

Syntax

config system certificate ca

edit <ca_name>

set ca <certificate>

set comment <string>

end

Variable

Description

<ca_name>

Enter a name for the CA certificate. Character limit: 35

ca <certificate>

Enter or retrieve the CA certificate in PEM format.

comment <string>

Optionally, enter a descriptive comment. Character limit: 127

To view all of the information about the certificate, use the get command:

get system certificate ca <ca_name>

certificate crl

Use this command to configure CRLs.

Syntax

config system certificate crl

edit <name>

set crl <crl>

set comment <string>

end

Variable

Description

<name>

Enter a name for the CRL. Character limit: 35

crl <crl>

Enter or retrieve the CRL in PEM format.

comment <string>

Optionally, enter a descriptive comment for this CRL. Character limit: 127

certificate local

Use this command to install local certificates. When a CA processes your CSR, it sends you the CA certificate, the signed local certificate and the CRL.

The process for obtaining and installing certificates is as follows:
  1. Use the execute certificate local generate command to generate a CSR.
  2. Send the CSR to a CA. The CA sends you the CA certificate, the signed local certificate and the CRL.
  3. Use the system certificate local command to install the signed local certificate.
  4. Use the system certificate ca command to install the CA certificate. Depending on your terminal software, you can copy the certificate and paste it into the command.

Syntax

config system certificate local

edit <cert_name>

set password <passwd>

set comment <string>

set certificate <certificate_PEM>

set private-key <prkey>

set csr <csr_PEM>

end

Variable

Description

<cert_name>

Enter the local certificate name. Character limit: 35

password <passwd>

Enter the local certificate password. Character limit: 67

comment <string>

Enter any relevant information about the certificate. Character length: 127

certificate <certificate_PEM>

Enter the signed local certificate in PEM format.

You should not modify the following variables if you generated the CSR on this unit.

private-key <prkey>

The private key in PEM format.

csr <csr_PEM>

The CSR in PEM format.

To view all of the information about the certificate, use the get command:

get system certificate local [cert_name]

certificate oftp

Use this command to install OFTP certificates and keys.

Syntax

config system certificate oftp

set certificate <certificate>

set comment <string>

set custom {enable | disable}

set password <passwd>

set private-key <key>

end

Variable

Description

certificate <certificate>

PEM format certificate.

comment <string>

OFTP certificate comment. Character limit: 127

custom {enable | disable}

Enable/disable custom certificates.

password <passwd>

Password for encrypted 'private-key', unset for non-encrypted.

private-key <key>

PEM format private key.

certificate ssh

Use this command to install SSH certificates and keys.

The process for obtaining and installing certificates is as follows:
  1. Use the execute certificate local generate command to generate a CSR.
  2. Send the CSR to a CA. The CA sends you the CA certificate, the signed local certificate and the CRL.
  3. Use the system certificate local command to install the signed local certificate.
  4. Use the system certificate ca command to install the CA certificate.
  5. Use the system certificate SSH command to install the SSH certificate. Depending on your terminal software, you can copy the certificate and paste it into the command.

Syntax

config system certificate ssh

edit <name>

set comment <comment_text>

set certificate <certificate>

set private-key <key>

end

Variable

Description

<name>

Enter the SSH certificate name. Character limit: 63

comment <comment_text>

Enter any relevant information about the certificate. Character limit: 127

certificate <certificate>

Enter the signed SSH certificate in PEM format.

You should not modify the following variables if you generated the CSR on this unit.

private-key <key>

The private key in PEM format.

To view all of the information about the certificate, use the get command:

get system certificate ssh [cert_name]

certificate

certificate

Use the following commands to configure certificate related settings.

certificate ca

Use this command to install Certificate Authority (CA) root certificates.

When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the signed local certificate and the Certificate Revocation List (CRL).

The process for obtaining and installing certificates is as follows:
  1. Use the execute certificate local generate command to generate a CSR.
  2. Send the CSR to a CA. he CA sends you the CA certificate, the signed local certificate and the CRL.
  3. Use the system certificate local command to install the signed local certificate.
  4. Use the system certificate ca command to install the CA certificate. Depending on your terminal software, you can copy the certificate and paste it into the command.

Syntax

config system certificate ca

edit <ca_name>

set ca <certificate>

set comment <string>

end

Variable

Description

<ca_name>

Enter a name for the CA certificate. Character limit: 35

ca <certificate>

Enter or retrieve the CA certificate in PEM format.

comment <string>

Optionally, enter a descriptive comment. Character limit: 127

To view all of the information about the certificate, use the get command:

get system certificate ca <ca_name>

certificate crl

Use this command to configure CRLs.

Syntax

config system certificate crl

edit <name>

set crl <crl>

set comment <string>

end

Variable

Description

<name>

Enter a name for the CRL. Character limit: 35

crl <crl>

Enter or retrieve the CRL in PEM format.

comment <string>

Optionally, enter a descriptive comment for this CRL. Character limit: 127

certificate local

Use this command to install local certificates. When a CA processes your CSR, it sends you the CA certificate, the signed local certificate and the CRL.

The process for obtaining and installing certificates is as follows:
  1. Use the execute certificate local generate command to generate a CSR.
  2. Send the CSR to a CA. The CA sends you the CA certificate, the signed local certificate and the CRL.
  3. Use the system certificate local command to install the signed local certificate.
  4. Use the system certificate ca command to install the CA certificate. Depending on your terminal software, you can copy the certificate and paste it into the command.

Syntax

config system certificate local

edit <cert_name>

set password <passwd>

set comment <string>

set certificate <certificate_PEM>

set private-key <prkey>

set csr <csr_PEM>

end

Variable

Description

<cert_name>

Enter the local certificate name. Character limit: 35

password <passwd>

Enter the local certificate password. Character limit: 67

comment <string>

Enter any relevant information about the certificate. Character length: 127

certificate <certificate_PEM>

Enter the signed local certificate in PEM format.

You should not modify the following variables if you generated the CSR on this unit.

private-key <prkey>

The private key in PEM format.

csr <csr_PEM>

The CSR in PEM format.

To view all of the information about the certificate, use the get command:

get system certificate local [cert_name]

certificate oftp

Use this command to install OFTP certificates and keys.

Syntax

config system certificate oftp

set certificate <certificate>

set comment <string>

set custom {enable | disable}

set password <passwd>

set private-key <key>

end

Variable

Description

certificate <certificate>

PEM format certificate.

comment <string>

OFTP certificate comment. Character limit: 127

custom {enable | disable}

Enable/disable custom certificates.

password <passwd>

Password for encrypted 'private-key', unset for non-encrypted.

private-key <key>

PEM format private key.

certificate ssh

Use this command to install SSH certificates and keys.

The process for obtaining and installing certificates is as follows:
  1. Use the execute certificate local generate command to generate a CSR.
  2. Send the CSR to a CA. The CA sends you the CA certificate, the signed local certificate and the CRL.
  3. Use the system certificate local command to install the signed local certificate.
  4. Use the system certificate ca command to install the CA certificate.
  5. Use the system certificate SSH command to install the SSH certificate. Depending on your terminal software, you can copy the certificate and paste it into the command.

Syntax

config system certificate ssh

edit <name>

set comment <comment_text>

set certificate <certificate>

set private-key <key>

end

Variable

Description

<name>

Enter the SSH certificate name. Character limit: 63

comment <comment_text>

Enter any relevant information about the certificate. Character limit: 127

certificate <certificate>

Enter the signed SSH certificate in PEM format.

You should not modify the following variables if you generated the CSR on this unit.

private-key <key>

The private key in PEM format.

To view all of the information about the certificate, use the get command:

get system certificate ssh [cert_name]