Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.0
Download PDF
Copy Link

vpn certificate setting

Use this command to enable receiving certificates by OCSP.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

set ssl-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

Set the minimum SSL version that can be used for SSL/TLS-protected OCSP sessions.

The default value is default which means to follow the global minimum set by the ssl-min-proto-version option of the config system global command.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set check-ca-chain {enable | disable}

Enable (by default) or disable certificate verification failure if any of the CAs in the trust chain are not found in the CA store. When disabled, a sub-CA is sufficient to pass certificate verification.

config vpn certificate setting
    set ocsp-status {enable | disable}   Enable/disable receiving certificates using the OCSP.
    set ssl-ocsp-status {enable | disable}   Enable/disable SSL OCSP.
    set ssl-ocsp-option {certificate | server}   Specify whether the OCSP URL is from the certificate or the default OCSP server.
            certificate  Use URL from certificate.
            server       Use URL from default OCSP server.
    set ocsp-default-server {string}   Default OCSP server. size[35] - datasource(s): vpn.certificate.ocsp-server.name
    set check-ca-cert {enable | disable}   Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted (default = enable).
    set check-ca-chain {enable | disable}   Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted (default = disable).
    set subject-match {substring | value}   When searching for a matching certificate, control how to find matches in the certificate subject name.
            substring  Find a match if any string in the certificate subject name matches the name being searched for.
            value      Find a match if any attribute value string in a certificate subject name is an exact match with the name being searched for.
    set cn-match {substring | value}   When searching for a matching certificate, control how to find matches in the cn attribute of the certificate subject name.
            substring  Find a match if any string in a certificate subject name cn attribute name matches the name being searched for.
            value      Find a match if the cn attribute value string is an exact match with the name being searched for.
    set strict-crl-check {enable | disable}   Enable/disable strict mode CRL checking.
    set strict-ocsp-check {enable | disable}   Enable/disable strict mode OCSP checking.
    set ssl-min-proto-version {option}   Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).
            default  Follow system global setting.
            SSLv3    SSLv3.
            TLSv1    TLSv1.
            TLSv1-1  TLSv1.1.
            TLSv1-2  TLSv1.2.
    set cmp-save-extra-certs {enable | disable}   Enable/disable saving extra certificates in CMP mode.
    set certname-rsa1024 {string}   1024 bit RSA key certificate for re-signing server certificates for SSL inspection. size[35] - datasource(s): vpn.certificate.local.name
    set certname-rsa2048 {string}   2048 bit RSA key certificate for re-signing server certificates for SSL inspection. size[35] - datasource(s): vpn.certificate.local.name
    set certname-dsa1024 {string}   1024 bit DSA key certificate for re-signing server certificates for SSL inspection. size[35] - datasource(s): vpn.certificate.local.name
    set certname-dsa2048 {string}   2048 bit DSA key certificate for re-signing server certificates for SSL inspection. size[35] - datasource(s): vpn.certificate.local.name
    set certname-ecdsa256 {string}   256 bit ECDSA key certificate for re-signing server certificates for SSL inspection. size[35] - datasource(s): vpn.certificate.local.name
    set certname-ecdsa384 {string}   384 bit ECDSA key certificate for re-signing server certificates for SSL inspection. size[35] - datasource(s): vpn.certificate.local.name
end

Additional information

The following section is for those options that require additional explanation.

ocsp-status {enable | disable}

Enable or disable (by default) receiving the certificates using the Online Certificate Status Protocol (OCSP), an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.

For more information about OCSP, see RFC 6960.

ssl-ocsp-status {enable | disable}

Enable or disable (by default) the FortiGate as the client responsible for performing security checks, that otherwise the web browser would be performing.

Only enable this when you know the server certificate is presented by a trusted CA and when you know the web server uses a sufficiently strong encryption.

ssl-ocsp-option {certificate | server}

Use either the OCSP URL from the certificate or from the default OCSP server (set by default).

ocsp-default-server <server>

The OCSP server to be used by default. This is one of the servers defined in config vpn certificate ocsp-server.

check-ca-cert {enable | disable}

Enable (by default) to check the CA certificate and fail the authentication if the certificate is not found.

strict-crl-check {enable | disable}

Enable or disable (by default) strict mode certificate revocation list (CRL) checking.  If strict checking is not enabled and a certificate is found to be on a CRL list, the certificate can be used, but a warning log message is written. If strict checking is enabled then all authentication actions that use this certificate fail in addition to the warning message being written.

strict-ocsp-check {enable | disable}

Enable or disable (by default) strict mode OCSP checking.  If strict checking is not enabled and an OCSP server responds with cert status unknown, the certificate can be used, but a warning log message is written. If strict checking is enabled then all authentication actions that use this certificate fail in addition to the warning message being written.

ssl-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

Set the minimum SSL version that can be used for SSL/TLS-protected OCSP sessions.

The default value is default which means to follow the global minimum set by the ssl-min-proto-version option of the config system global command.

vpn certificate setting

Use this command to enable receiving certificates by OCSP.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

set ssl-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

Set the minimum SSL version that can be used for SSL/TLS-protected OCSP sessions.

The default value is default which means to follow the global minimum set by the ssl-min-proto-version option of the config system global command.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set check-ca-chain {enable | disable}

Enable (by default) or disable certificate verification failure if any of the CAs in the trust chain are not found in the CA store. When disabled, a sub-CA is sufficient to pass certificate verification.

config vpn certificate setting
    set ocsp-status {enable | disable}   Enable/disable receiving certificates using the OCSP.
    set ssl-ocsp-status {enable | disable}   Enable/disable SSL OCSP.
    set ssl-ocsp-option {certificate | server}   Specify whether the OCSP URL is from the certificate or the default OCSP server.
            certificate  Use URL from certificate.
            server       Use URL from default OCSP server.
    set ocsp-default-server {string}   Default OCSP server. size[35] - datasource(s): vpn.certificate.ocsp-server.name
    set check-ca-cert {enable | disable}   Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted (default = enable).
    set check-ca-chain {enable | disable}   Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted (default = disable).
    set subject-match {substring | value}   When searching for a matching certificate, control how to find matches in the certificate subject name.
            substring  Find a match if any string in the certificate subject name matches the name being searched for.
            value      Find a match if any attribute value string in a certificate subject name is an exact match with the name being searched for.
    set cn-match {substring | value}   When searching for a matching certificate, control how to find matches in the cn attribute of the certificate subject name.
            substring  Find a match if any string in a certificate subject name cn attribute name matches the name being searched for.
            value      Find a match if the cn attribute value string is an exact match with the name being searched for.
    set strict-crl-check {enable | disable}   Enable/disable strict mode CRL checking.
    set strict-ocsp-check {enable | disable}   Enable/disable strict mode OCSP checking.
    set ssl-min-proto-version {option}   Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).
            default  Follow system global setting.
            SSLv3    SSLv3.
            TLSv1    TLSv1.
            TLSv1-1  TLSv1.1.
            TLSv1-2  TLSv1.2.
    set cmp-save-extra-certs {enable | disable}   Enable/disable saving extra certificates in CMP mode.
    set certname-rsa1024 {string}   1024 bit RSA key certificate for re-signing server certificates for SSL inspection. size[35] - datasource(s): vpn.certificate.local.name
    set certname-rsa2048 {string}   2048 bit RSA key certificate for re-signing server certificates for SSL inspection. size[35] - datasource(s): vpn.certificate.local.name
    set certname-dsa1024 {string}   1024 bit DSA key certificate for re-signing server certificates for SSL inspection. size[35] - datasource(s): vpn.certificate.local.name
    set certname-dsa2048 {string}   2048 bit DSA key certificate for re-signing server certificates for SSL inspection. size[35] - datasource(s): vpn.certificate.local.name
    set certname-ecdsa256 {string}   256 bit ECDSA key certificate for re-signing server certificates for SSL inspection. size[35] - datasource(s): vpn.certificate.local.name
    set certname-ecdsa384 {string}   384 bit ECDSA key certificate for re-signing server certificates for SSL inspection. size[35] - datasource(s): vpn.certificate.local.name
end

Additional information

The following section is for those options that require additional explanation.

ocsp-status {enable | disable}

Enable or disable (by default) receiving the certificates using the Online Certificate Status Protocol (OCSP), an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.

For more information about OCSP, see RFC 6960.

ssl-ocsp-status {enable | disable}

Enable or disable (by default) the FortiGate as the client responsible for performing security checks, that otherwise the web browser would be performing.

Only enable this when you know the server certificate is presented by a trusted CA and when you know the web server uses a sufficiently strong encryption.

ssl-ocsp-option {certificate | server}

Use either the OCSP URL from the certificate or from the default OCSP server (set by default).

ocsp-default-server <server>

The OCSP server to be used by default. This is one of the servers defined in config vpn certificate ocsp-server.

check-ca-cert {enable | disable}

Enable (by default) to check the CA certificate and fail the authentication if the certificate is not found.

strict-crl-check {enable | disable}

Enable or disable (by default) strict mode certificate revocation list (CRL) checking.  If strict checking is not enabled and a certificate is found to be on a CRL list, the certificate can be used, but a warning log message is written. If strict checking is enabled then all authentication actions that use this certificate fail in addition to the warning message being written.

strict-ocsp-check {enable | disable}

Enable or disable (by default) strict mode OCSP checking.  If strict checking is not enabled and an OCSP server responds with cert status unknown, the certificate can be used, but a warning log message is written. If strict checking is enabled then all authentication actions that use this certificate fail in addition to the warning message being written.

ssl-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

Set the minimum SSL version that can be used for SSL/TLS-protected OCSP sessions.

The default value is default which means to follow the global minimum set by the ssl-min-proto-version option of the config system global command.