vpn certificate local
Use this command to install local certificates.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.5.
| Command | Description |
|---|---|
|
set source {factory | user | bundle} |
The |
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
| Command | Description |
|---|---|
|
set enroll-protocol {none | scep | cmpv2} set cmp-server "address:port: set cmp-path <patj> set cmp-server-cert <ca-cert> set cmp-regeneration-method <keyupdate | renewal} |
Support added to enroll Certificate Management Protocol version 2 (CMPv2) and configure CMP server settings. |
config vpn certificate local
edit {name}
# Local keys and certificates.
set name {string} Name. size[35]
set password {password_string} Password as a PEM file. size[128]
set comments {string} Comment. size[511]
set private-key {string} PEM format key, encrypted with a password.
set certificate {string} PEM format certificate.
set csr {string} Certificate Signing Request.
set state {string} Certificate Signing Request State.
set scep-url {string} SCEP server URL. size[255]
set range {global | vdom} Either a global or VDOM IP address range for the certificate.
global Global range.
vdom VDOM IP address range.
set source {factory | user | bundle} Certificate source type.
factory Factory installed certificate.
user User generated certificate.
bundle Bundle file certificate.
set auto-regenerate-days {integer} Number of days to wait before expiry of an updated local certificate is requested (0 = disabled). range[0-4294967295]
set auto-regenerate-days-warning {integer} Number of days to wait before an expiry warning message is generated (0 = disabled). range[0-4294967295]
set scep-password {password_string} SCEP server challenge password for auto-regeneration. size[128]
set ca-identifier {string} CA identifier of the CA server for signing via SCEP. size[255]
set name-encoding {printable | utf8} Name encoding method for auto-regeneration.
printable Printable encoding (default).
utf8 UTF-8 encoding.
set source-ip {ipv4 address} Source IP address for communications to the SCEP server.
set ike-localid {string} Local ID the FortiGate uses for authentication as a VPN client. size[63]
set ike-localid-type {asn1dn | fqdn} IKE local ID type.
asn1dn ASN.1 distinguished name.
fqdn Fully qualified domain name.
set last-updated {integer} Time at which certificate was last updated. range[0-4294967295]
set enroll-protocol {none | scep | cmpv2} Certificate enrollment protocol.
none None (default).
scep Simple Certificate Enrollment Protocol.
cmpv2 Certificate Management Protocol Version 2.
set cmp-server {string} 'ADDRESS:PORT' for CMP server. size[63]
set cmp-path {string} Path location inside CMP server. size[255]
set cmp-server-cert {string} CMP server certificate. size[35] - datasource(s): vpn.certificate.ca.name
set cmp-regeneration-method {keyupate | renewal} CMP auto-regeneration method.
keyupate Key Update.
renewal Renewal.
next
end
Additional information
The following section is for those options that require additional explanation.
auto-regenerate-days <days>
Note: This entry is only available when enroll-protocol has been set to either scep or cmpv2.
Enter how many days before expiry the FortiGate requests an updated local certificate. Set to 0 (by default) for no auto-update.
For example, if the certificate is expiring in a year and you want to use SCEP to request a new certificate five days before it expires, the value should be 5.
auto-regenerate-days-warning <days>
Note: This entry is only available when enroll-protocol has been set to either scep or cmpv2.
Enter how many days before expiry the FortiGate sends a warning about updating a local certificate. Set to 0 (by default) for no warning.
For example, if the certificate is expiring in a year and you want to get a warning five days before it expires, the value should be 5.
ca-identifer <name>
Note: This entry is only available when enroll-protocol has been set to scep.
CA identifer of the CA server for signing via SCEP.
certificate <certificate>
Note: This is only available for local entries that have certificates assigned to them already.
Certificate in PEM format.
csr <cert>
Certificate Signing Request (CSR) to be signed.
ike-localid <id>
Note: This entry is only available when ike-localid-type is set to fqdn.
Local ID that the FortiGate will use for authentication purposes as a VPN client.
ike-localid-type <type>
IKE local ID type:
- asn1dn: ASN.1 Distinguished Name ID (set by default)
- fqdn: Fully Qualified Domain Name ID
last-updated <days>
Note: This entry is only available when a certificate has been set.
Amount of time in days since the certificate was last updated.
name-encoding {printable | utf8}
Note: This entry is only available when enroll-protocol has been set to scep.
Name encoding method for auto-regeneration:
- printable: Printable encoding (also known as Quoted-Printable, or QP encoding) uses printable ASCII alphanumeric characters and the equals (=) sign (set by default).
- utf8: UTF-8 encoding uses all possible characters.
password <password>
Password in Privacy Enhanced Mail (PEM) format.
private-key <key>
Private key in PEM format, encrypted with the password.
range {global | vdom}
Either global (by default) or vdom IP address range for the certificate.
scep-password <password>
Note: This entry is only available when scep-url has been set.
Password for the SCEP server.
scep-url <url>
Note: This entry is only available when enroll-protocol is set to scep.
URL for the Simple Certificate Enrollment Protocol (SCEP) server.
source {factory | user | bundle}
Select the certificate's source:
- factory: Default certificate that came with the FortiGate
- user: User certificate (set by default)
- bundle: Certificate from a bundle file
source-ip <ipv4-addr>
Source IP address for communications to the SCEP server.
state <state>
State of the CSR.