Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.0
Download PDF
Copy Link

certificate local

Note: The following command is only available when VDOMs are enabled.

Use this command to install local certificates for this VDOM.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.5.

Command Description

set source {factory | user | bundle}

The fortiguard option has been removed

config certificate local
    edit {name}
    # Local keys and certificates.
        set name {string}   Name. size[35]
        set password {password_string}   Password as a PEM file. size[128]
        set comments {string}   Comment. size[511]
        set private-key {string}   PEM format key, encrypted with a password.
        set certificate {string}   PEM format certificate.
        set csr {string}   Certificate Signing Request.
        set state {string}   Certificate Signing Request State.
        set scep-url {string}   SCEP server URL. size[255]
        set range {global | vdom}   Either a global or VDOM IP address range for the certificate.
                global  Global range.
                vdom    VDOM IP address range.
        set source {factory | user | bundle}   Certificate source type.
                factory  Factory installed certificate.
                user     User generated certificate.
                bundle   Bundle file certificate.
        set auto-regenerate-days {integer}   Number of days to wait before expiry of an updated local certificate is requested (0 = disabled). range[0-4294967295]
        set auto-regenerate-days-warning {integer}   Number of days to wait before an expiry warning message is generated (0 = disabled). range[0-4294967295]
        set scep-password {password_string}   SCEP server challenge password for auto-regeneration. size[128]
        set ca-identifier {string}   CA identifier of the CA server for signing via SCEP. size[255]
        set name-encoding {printable | utf8}   Name encoding method for auto-regeneration.
                printable  Printable encoding (default).
                utf8       UTF-8 encoding.
        set source-ip {ipv4 address}   Source IP address for communications to the SCEP server.
        set ike-localid {string}   Local ID the FortiGate uses for authentication as a VPN client. size[63]
        set ike-localid-type {asn1dn | fqdn}   IKE local ID type.
                asn1dn  ASN.1 distinguished name.
                fqdn    Fully qualified domain name.
        set last-updated {integer}   Time at which certificate was last updated. range[0-4294967295]
        set enroll-protocol {none | scep | cmpv2}   Certificate enrollment protocol.
                none   None (default).
                scep   Simple Certificate Enrollment Protocol.
                cmpv2  Certificate Management Protocol Version 2.
        set cmp-server {string}   'ADDRESS:PORT' for CMP server. size[63]
        set cmp-path {string}   Path location inside CMP server. size[255]
        set cmp-server-cert {string}   CMP server certificate. size[35] - datasource(s): certificate.ca.name
        set cmp-regeneration-method {keyupate | renewal}   CMP auto-regeneration method.
                keyupate  Key Update.
                renewal   Renewal.
    next
end

Additional information

The following section is for those options that require additional explanation.

auto-regenerate-days <days>

This entry is only available when scep-url has been set.

Enter how many days before expiry the FortiGate requests an updated local certificate. Set to 0 (by default) for no auto-update.

For example, if the certificate is expiring in a year and you want to use SCEP to request a new certificate five days before it expires, the value should be 5.

auto-regenerate-days-warning <days>

This entry is only available when scep-url has been set.

Enter how many days before expiry the FortiGate sends a warning about updating a local certificate. Set to 0 (by default) for no warning.

For example, if the certificate is expiring in a year and you want to get a warning five days before it expires, the value should be 5.

ca-identifer <name>

This entry is only available when scep-url has been set.

CA identifer of the CA server for signing via SCEP.

certificate <certificate>

This is only available for local entries that have certificates assigned to them already.

Certificate in PEM format.

csr <cert>

Certificate Signing Request (CSR) to be signed.

ike-localid <id>

This entry is only available when ike-localid-type is set to fqdn.

Local ID that the FortiGate will use for authentication purposes as a VPN client.

ike-localid-type <type>

IKE local ID type:

  • asn1dn: ASN.1 Distinguished Name ID (set by default)
  • fqdn: Fully Qualified Domain Name ID

last-updated <days>

This entry is only available when a certificate has been set.

Amount of time in days since the certificate was last updated.

name-encoding {printable | utf8}

This entry is only available when scep-url has been set.

Name encoding method for auto-regeneration:

  • printable: Printable encoding (also known as Quoted-Printable, or QP encoding) uses printable ASCII alphanumeric characters and the equals (=) sign (set by default).
  • utf8: UTF-8 encoding uses all possible characters.

password <password>

Password in Privacy Enhanced Mail (PEM) format.

private-key <key>

Private key in PEM format, encrypted with the password.

range {global | vdom}

Either global (by default) or vdom IP address range for the certificate.

scep-password <password>

This entry is only available when scep-url has been set.

Password for the SCEP server.

scep-url <url>

URL for the Simple Certificate Enrollment Protocol (SCEP) server.

source {factory | user | bundle}

Select the certificate's source:

  • factory: Default certificate that came with the FortiGate
  • user: User certificate (set by default)
  • bundle: Certificate from a bundle file

source-ip <ipv4-addr>

Source IP address for communications to the SCEP server.

state <state>

State of the CSR.

certificate local

Note: The following command is only available when VDOMs are enabled.

Use this command to install local certificates for this VDOM.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.5.

Command Description

set source {factory | user | bundle}

The fortiguard option has been removed

config certificate local
    edit {name}
    # Local keys and certificates.
        set name {string}   Name. size[35]
        set password {password_string}   Password as a PEM file. size[128]
        set comments {string}   Comment. size[511]
        set private-key {string}   PEM format key, encrypted with a password.
        set certificate {string}   PEM format certificate.
        set csr {string}   Certificate Signing Request.
        set state {string}   Certificate Signing Request State.
        set scep-url {string}   SCEP server URL. size[255]
        set range {global | vdom}   Either a global or VDOM IP address range for the certificate.
                global  Global range.
                vdom    VDOM IP address range.
        set source {factory | user | bundle}   Certificate source type.
                factory  Factory installed certificate.
                user     User generated certificate.
                bundle   Bundle file certificate.
        set auto-regenerate-days {integer}   Number of days to wait before expiry of an updated local certificate is requested (0 = disabled). range[0-4294967295]
        set auto-regenerate-days-warning {integer}   Number of days to wait before an expiry warning message is generated (0 = disabled). range[0-4294967295]
        set scep-password {password_string}   SCEP server challenge password for auto-regeneration. size[128]
        set ca-identifier {string}   CA identifier of the CA server for signing via SCEP. size[255]
        set name-encoding {printable | utf8}   Name encoding method for auto-regeneration.
                printable  Printable encoding (default).
                utf8       UTF-8 encoding.
        set source-ip {ipv4 address}   Source IP address for communications to the SCEP server.
        set ike-localid {string}   Local ID the FortiGate uses for authentication as a VPN client. size[63]
        set ike-localid-type {asn1dn | fqdn}   IKE local ID type.
                asn1dn  ASN.1 distinguished name.
                fqdn    Fully qualified domain name.
        set last-updated {integer}   Time at which certificate was last updated. range[0-4294967295]
        set enroll-protocol {none | scep | cmpv2}   Certificate enrollment protocol.
                none   None (default).
                scep   Simple Certificate Enrollment Protocol.
                cmpv2  Certificate Management Protocol Version 2.
        set cmp-server {string}   'ADDRESS:PORT' for CMP server. size[63]
        set cmp-path {string}   Path location inside CMP server. size[255]
        set cmp-server-cert {string}   CMP server certificate. size[35] - datasource(s): certificate.ca.name
        set cmp-regeneration-method {keyupate | renewal}   CMP auto-regeneration method.
                keyupate  Key Update.
                renewal   Renewal.
    next
end

Additional information

The following section is for those options that require additional explanation.

auto-regenerate-days <days>

This entry is only available when scep-url has been set.

Enter how many days before expiry the FortiGate requests an updated local certificate. Set to 0 (by default) for no auto-update.

For example, if the certificate is expiring in a year and you want to use SCEP to request a new certificate five days before it expires, the value should be 5.

auto-regenerate-days-warning <days>

This entry is only available when scep-url has been set.

Enter how many days before expiry the FortiGate sends a warning about updating a local certificate. Set to 0 (by default) for no warning.

For example, if the certificate is expiring in a year and you want to get a warning five days before it expires, the value should be 5.

ca-identifer <name>

This entry is only available when scep-url has been set.

CA identifer of the CA server for signing via SCEP.

certificate <certificate>

This is only available for local entries that have certificates assigned to them already.

Certificate in PEM format.

csr <cert>

Certificate Signing Request (CSR) to be signed.

ike-localid <id>

This entry is only available when ike-localid-type is set to fqdn.

Local ID that the FortiGate will use for authentication purposes as a VPN client.

ike-localid-type <type>

IKE local ID type:

  • asn1dn: ASN.1 Distinguished Name ID (set by default)
  • fqdn: Fully Qualified Domain Name ID

last-updated <days>

This entry is only available when a certificate has been set.

Amount of time in days since the certificate was last updated.

name-encoding {printable | utf8}

This entry is only available when scep-url has been set.

Name encoding method for auto-regeneration:

  • printable: Printable encoding (also known as Quoted-Printable, or QP encoding) uses printable ASCII alphanumeric characters and the equals (=) sign (set by default).
  • utf8: UTF-8 encoding uses all possible characters.

password <password>

Password in Privacy Enhanced Mail (PEM) format.

private-key <key>

Private key in PEM format, encrypted with the password.

range {global | vdom}

Either global (by default) or vdom IP address range for the certificate.

scep-password <password>

This entry is only available when scep-url has been set.

Password for the SCEP server.

scep-url <url>

URL for the Simple Certificate Enrollment Protocol (SCEP) server.

source {factory | user | bundle}

Select the certificate's source:

  • factory: Default certificate that came with the FortiGate
  • user: User certificate (set by default)
  • bundle: Certificate from a bundle file

source-ip <ipv4-addr>

Source IP address for communications to the SCEP server.

state <state>

State of the CSR.