Fortinet black logo

Certificate settings

Certificate settings

The <certificates></certificates> XML tags contain certificate settings. Following are the subsections:

  • CRL: uses Online Certificate Status Protocol (OCSP).
  • HDD
  • CA certificate: base 64 encoded CA certificate.

<forticlient_configuration>

<system>

<certificates>

<crl>

<ocsp />

</crl>

<hdd />

<ca />

<common_name>

<match_type>

<![CDATA[simple]]>

</match_type>

<pattern>

<![CDATA[w8.fct.net]]>

</pattern>

</common_name>

<issuer>

<match_type>

<![CDATA[simple]]>

</match_type>

<pattern>

<![CDATA[Subordinate CA]]>

</pattern>

</issuer>

<oids>

<oid>

<match_type>simple</match_type>

<pattern>

<![CDATA[1.3.6.1.5.5.7.3.1]]>

</pattern>

</oid>

</oids>

</certificates>

</system>

</forticlient_configuration>

The following table provides the XML tags for certificate settings, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<crl><OCSP> elements

<enabled>

Use OCSP.

Boolean value: [0 | 1]

<server>

Enter the server IP address.

<port>

Enter the server port number.

<common_name> elements for common name of the certificate automatically selected for VPN logon.

<match_type>

Enter the type of matching to use, for example, <match_type><![CDATA[simple]]></match_type>. Choose from:

  • simple: exact match
  • wildcard: wildcard
  • regex: regular expressions

<pattern>

Enter the pattern to use for the type of matching, for example, <pattern><![CDATA[w8.fct.net]]></pattern>.

<issuer> elements about the issuer of the certificate that is automatically selected for VPN logon.

<match_type>

Enter the type of matching to use, for example, <match_type><![CDATA[simple]]></match_type>. Choose from:

  • simple: exact match
  • wildcard: wildcard

<pattern>

Enter the pattern to use for the type of matching, for example, <pattern><![CDATA[subordinate CA]]></pattern>.

<oid> elements about the certificate object identifier (OID). This feature filters based on all certificate OIDs at the first level of the X.509 ASN.1 structure. Nested, or second level OIDs are not supported, other than the EKU (extendedKeyUsage) OIDs.

<match_type>

Enter the type of matching to use. Choose from:

  • simple: exact match
  • wildcard: wildcard
  • regex: regular expressions

<pattern>

Enter the pattern to use for the type of matching.

Following is an example of exact match for <common_name>:

<certificate>

<common_name>

<match_type>

<![CDATA[simple]]>

</match_type>

<pattern>

<![CDATA[w8.fct.net]]>

</pattern>

</common_name>

</certificate>

Following is an example of wildcard for <common_name>:

<certificate>

<common_name>

<match_type>

<![CDATA[wildcard]]>

</match_type>

<pattern>

<![CDATA[*.fct.net]]>

</pattern>

</common_name>

</certificate>

Certificate settings

The <certificates></certificates> XML tags contain certificate settings. Following are the subsections:

  • CRL: uses Online Certificate Status Protocol (OCSP).
  • HDD
  • CA certificate: base 64 encoded CA certificate.

<forticlient_configuration>

<system>

<certificates>

<crl>

<ocsp />

</crl>

<hdd />

<ca />

<common_name>

<match_type>

<![CDATA[simple]]>

</match_type>

<pattern>

<![CDATA[w8.fct.net]]>

</pattern>

</common_name>

<issuer>

<match_type>

<![CDATA[simple]]>

</match_type>

<pattern>

<![CDATA[Subordinate CA]]>

</pattern>

</issuer>

<oids>

<oid>

<match_type>simple</match_type>

<pattern>

<![CDATA[1.3.6.1.5.5.7.3.1]]>

</pattern>

</oid>

</oids>

</certificates>

</system>

</forticlient_configuration>

The following table provides the XML tags for certificate settings, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<crl><OCSP> elements

<enabled>

Use OCSP.

Boolean value: [0 | 1]

<server>

Enter the server IP address.

<port>

Enter the server port number.

<common_name> elements for common name of the certificate automatically selected for VPN logon.

<match_type>

Enter the type of matching to use, for example, <match_type><![CDATA[simple]]></match_type>. Choose from:

  • simple: exact match
  • wildcard: wildcard
  • regex: regular expressions

<pattern>

Enter the pattern to use for the type of matching, for example, <pattern><![CDATA[w8.fct.net]]></pattern>.

<issuer> elements about the issuer of the certificate that is automatically selected for VPN logon.

<match_type>

Enter the type of matching to use, for example, <match_type><![CDATA[simple]]></match_type>. Choose from:

  • simple: exact match
  • wildcard: wildcard

<pattern>

Enter the pattern to use for the type of matching, for example, <pattern><![CDATA[subordinate CA]]></pattern>.

<oid> elements about the certificate object identifier (OID). This feature filters based on all certificate OIDs at the first level of the X.509 ASN.1 structure. Nested, or second level OIDs are not supported, other than the EKU (extendedKeyUsage) OIDs.

<match_type>

Enter the type of matching to use. Choose from:

  • simple: exact match
  • wildcard: wildcard
  • regex: regular expressions

<pattern>

Enter the pattern to use for the type of matching.

Following is an example of exact match for <common_name>:

<certificate>

<common_name>

<match_type>

<![CDATA[simple]]>

</match_type>

<pattern>

<![CDATA[w8.fct.net]]>

</pattern>

</common_name>

</certificate>

Following is an example of wildcard for <common_name>:

<certificate>

<common_name>

<match_type>

<![CDATA[wildcard]]>

</match_type>

<pattern>

<![CDATA[*.fct.net]]>

</pattern>

</common_name>

</certificate>