certificate local
Note: The following command is only available when VDOMs are enabled.
Use this command to install local certificates for this VDOM.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.5.
Command | Description |
---|---|
set source {factory | user | bundle} |
The |
config certificate local edit {name} # Local keys and certificates. set name {string} Name. size[35] set password {password_string} Password as a PEM file. size[128] set comments {string} Comment. size[511] set private-key {string} PEM format key, encrypted with a password. set certificate {string} PEM format certificate. set csr {string} Certificate Signing Request. set state {string} Certificate Signing Request State. set scep-url {string} SCEP server URL. size[255] set range {global | vdom} Either a global or VDOM IP address range for the certificate. global Global range. vdom VDOM IP address range. set source {factory | user | bundle} Certificate source type. factory Factory installed certificate. user User generated certificate. bundle Bundle file certificate. set auto-regenerate-days {integer} Number of days to wait before expiry of an updated local certificate is requested (0 = disabled). range[0-4294967295] set auto-regenerate-days-warning {integer} Number of days to wait before an expiry warning message is generated (0 = disabled). range[0-4294967295] set scep-password {password_string} SCEP server challenge password for auto-regeneration. size[128] set ca-identifier {string} CA identifier of the CA server for signing via SCEP. size[255] set name-encoding {printable | utf8} Name encoding method for auto-regeneration. printable Printable encoding (default). utf8 UTF-8 encoding. set source-ip {ipv4 address} Source IP address for communications to the SCEP server. set ike-localid {string} Local ID the FortiGate uses for authentication as a VPN client. size[63] set ike-localid-type {asn1dn | fqdn} IKE local ID type. asn1dn ASN.1 distinguished name. fqdn Fully qualified domain name. set last-updated {integer} Time at which certificate was last updated. range[0-4294967295] set enroll-protocol {none | scep | cmpv2} Certificate enrollment protocol. none None (default). scep Simple Certificate Enrollment Protocol. cmpv2 Certificate Management Protocol Version 2. set cmp-server {string} 'ADDRESS:PORT' for CMP server. size[63] set cmp-path {string} Path location inside CMP server. size[255] set cmp-server-cert {string} CMP server certificate. size[35] - datasource(s): certificate.ca.name set cmp-regeneration-method {keyupate | renewal} CMP auto-regeneration method. keyupate Key Update. renewal Renewal. next end
Additional information
The following section is for those options that require additional explanation.
auto-regenerate-days <days>
This entry is only available when scep-url
has been set.
Enter how many days before expiry the FortiGate requests an updated local certificate. Set to 0
(by default) for no auto-update.
For example, if the certificate is expiring in a year and you want to use SCEP to request a new certificate five days before it expires, the value should be 5.
auto-regenerate-days-warning <days>
This entry is only available when scep-url
has been set.
Enter how many days before expiry the FortiGate sends a warning about updating a local certificate. Set to 0
(by default) for no warning.
For example, if the certificate is expiring in a year and you want to get a warning five days before it expires, the value should be 5.
ca-identifer <name>
This entry is only available when scep-url
has been set.
CA identifer of the CA server for signing via SCEP.
certificate <certificate>
This is only available for local entries that have certificates assigned to them already.
Certificate in PEM format.
csr <cert>
Certificate Signing Request (CSR) to be signed.
ike-localid <id>
This entry is only available when ike-localid-type
is set to fqdn
.
Local ID that the FortiGate will use for authentication purposes as a VPN client.
ike-localid-type <type>
IKE local ID type:
- asn1dn: ASN.1 Distinguished Name ID (set by default)
- fqdn: Fully Qualified Domain Name ID
last-updated <days>
This entry is only available when a certificate
has been set.
Amount of time in days since the certificate was last updated.
name-encoding {printable | utf8}
This entry is only available when scep-url
has been set.
Name encoding method for auto-regeneration:
- printable: Printable encoding (also known as Quoted-Printable, or QP encoding) uses printable ASCII alphanumeric characters and the equals (=) sign (set by default).
- utf8: UTF-8 encoding uses all possible characters.
password <password>
Password in Privacy Enhanced Mail (PEM) format.
private-key <key>
Private key in PEM format, encrypted with the password.
range {global | vdom}
Either global
(by default) or vdom
IP address range for the certificate.
scep-password <password>
This entry is only available when scep-url
has been set.
Password for the SCEP server.
scep-url <url>
URL for the Simple Certificate Enrollment Protocol (SCEP) server.
source {factory | user | bundle}
Select the certificate's source:
- factory: Default certificate that came with the FortiGate
- user: User certificate (set by default)
- bundle: Certificate from a bundle file
source-ip <ipv4-addr>
Source IP address for communications to the SCEP server.
state <state>
State of the CSR.