Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.0
Download PDF
Copy Link

vpn certificate local generate

Use this command to generate a local certificate.

Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy, prior to an encrypted VPN tunnel being set up between the participants. The local certificate is the certificate that the FortiGate unit uses to authenticate itself to other devices.

When you generate a certificate request, you create a private and public key pair for the local FortiGate unit. The public key accompanies the certificate request. The private key remains confidential.

When you receive the signed certificate from the CA, use the vpn certificate local command to install it on the FortiGate unit.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

execute vpn certificate local generate cmp <cert-name>

Generate a certificate request over Certificate Management Protocol version 2 (CMPv2).

Syntax

To generate a certificate request over CMPv2
execute vpn certificate local generate cmp  Generate a certificate request over CMPv2.
        {string}   Local certificate name.
            {number}   Key size: 1024, 1536, 2048, 4096.
                {string}   Server ('ADDRESS:PORT' for CMP server).
                    {string}   Path (Path location inside CMP server)
                        {string}   SrvCert (CMDB name of CMP server's certificate)
                            {string}   AuthCert (CMDB name of client's current certificate)
                                {string}   User (Username for doing the IR with a pre-shared key)
                                    {string}   Password (Password for doing the IR with a pre-shared key)
                                        {string}   Subject (optional, e.g. "CN=User,O=Org,OU=Unit").
                                            {string}   Subject alternative name (optional, e.g. "DNS:dns1.com,IP:192.168.1.99").
                                                {ip}   Source-IP for communications to the CMP server (optional).

To generate the default CA certificate used by SSL Inspection
execute vpn certificate local generate default-ssl-ca  Generate the default CA certificate used by SSL Inspection.

To generate the default untrusted CA certificate used by SSL Inspection
execute vpn certificate local generate default-ssl-ca-untrusted  Generate the default untrusted CA certificate used by SSL Inspection.

To generate the default RSA, DSA, and ECDSA certificate used by SSL Inspection
execute vpn certificate local generate default-ssl-key-certs  Generate the default RSA, DSA and ECDSA key certs for ssl resign.

To generate the default server key used by SSL Inspection
execute vpn certificate local generate default-ssl-serv-key  Generate the default server key used by SSL Inspection.

To generate an elliptical curve certificate request
execute vpn certificate local generate ec  Generate an elliptic curve certificate request.
        {string}   Local certificate name.
            {string}   Elliptic curve name: secp256r1, secp384r1 and secp521r1.
                {string}   Subject (Host IP/Domain Name/E-Mail).
                    {string}   Country name (e.g. Canada) or country code (e.g. ca).
                        {string}   State.
                            {string}   City.
                                {string}   Org.
                                    {string}   Unit(s); ',' as delimiter.
                                        {string}   Email.
                                            {string}   Subject alternative name (optional).
                                                {string}   URL of the CA server for signing via SCEP (optional).
                                                    {string}   Challenge password for signing via SCEP (optional).
                                                        {ip}   Source-IP for communications to the CA server (optional).
                                                            {string}   CA identifier of the CA server for signing via SCEP (optional).
                                                                {string}   Password for private-key (optional).

To generate an RSA certificate request
execute vpn certificate local generate rsa  Generate a RSA certificate request.
        {string}   Local certificate name.
            {number}   Key size: 1024, 1536, 2048, 4096.
                {string}   Subject (Host IP/Domain Name/E-Mail).
                    {string}   Country name (e.g. Canada) or country code (e.g. ca).
                        {string}   State.
                            {string}   City.
                                {string}   Org.
                                    {string}   Unit(s); ',' as delimiter.
                                        {string}   Email.
                                            {string}   Subject alternative name (optional).
                                                {string}   URL of the CA server for signing via SCEP (optional).
                                                    {string}   Challenge password for signing via SCEP (optional).
                                                        {ip}   Source-IP for communications to the CA server (optional).
                                                            {string}   CA identifier of the CA server for signing via SCEP (optional).
                                                                {string}   Password for private-key (optional).

Certificate name

Enter a name for the certificate. The name can contain numbers (0-9), uppercase and lowercase letters (A‑Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.

Elliptic curve name

Enter the elliptic curve name: secp256rl, secp384rl, or secp521rl.

Key Length

Enter 1024, 1536 or 2048 for the size in bits of the encryption key.

Subject

Enter the FortiGate unit host IP address, its fully qualified domain name, or an email address to identify the FortiGate unit being certified.

An IP address or domain name is preferred. If this is impossible (such as with a dialup client), use an e-mail address.

If you specify a host IP or domain name, use the IP address or domain name associated with the interface on which IKE negotiations will take place (usually the external interface of the local FortiGate unit). If the IP address in the certificate does not match the IP address of this interface (or if the domain name in the certificate does not match a DNS query of the FortiGate unit’s IP), then some implementations of IKE may reject the connection. Enforcement of this rule varies for different IPSec products.

Optional Information

Enter optional information as required to further identify the certificate. You must enter the optional variables in order that they are listed below. To enter any optional variable you must enter all of the variables that come before it in the list. While entering optional variables, you can type ? for help on the next required variable.

Optional information variables
Variable Description
Country code Enter the two-character country code. Enter execute vpn certificates local generate <name_str> country followed by a ? for a list of country codes. The country code is case sensitive. Enter null if you do not want to specify a country.
State name Enter the name of the state or province where the FortiGate unit is located.
City name Enter the name of the city, or town, where the person or organization certifying the FortiGate unit resides.
Organization name Enter the name of the organization that is requesting the certificate for the FortiGate unit.
Organization unit name Enter a name that identifies the department or unit within the organization that is requesting the certificate for the FortiGate unit.
Email address Enter a contact e-mail address for the FortiGate unit.
CA server URL Enter the URL of the CA (SCEP) certificate server that allows auto-signing of the request.
Challenge password

Enter the challenge password for the SCEP certificate server.

Example

Use the following command to generate a local certificate request with the name branch_cert, the domain name www.example.com and a key size of 1536.

execute vpn certificate local generate branch_cert 1536 www.example.com

vpn certificate local generate

Use this command to generate a local certificate.

Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy, prior to an encrypted VPN tunnel being set up between the participants. The local certificate is the certificate that the FortiGate unit uses to authenticate itself to other devices.

When you generate a certificate request, you create a private and public key pair for the local FortiGate unit. The public key accompanies the certificate request. The private key remains confidential.

When you receive the signed certificate from the CA, use the vpn certificate local command to install it on the FortiGate unit.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

execute vpn certificate local generate cmp <cert-name>

Generate a certificate request over Certificate Management Protocol version 2 (CMPv2).

Syntax

To generate a certificate request over CMPv2
execute vpn certificate local generate cmp  Generate a certificate request over CMPv2.
        {string}   Local certificate name.
            {number}   Key size: 1024, 1536, 2048, 4096.
                {string}   Server ('ADDRESS:PORT' for CMP server).
                    {string}   Path (Path location inside CMP server)
                        {string}   SrvCert (CMDB name of CMP server's certificate)
                            {string}   AuthCert (CMDB name of client's current certificate)
                                {string}   User (Username for doing the IR with a pre-shared key)
                                    {string}   Password (Password for doing the IR with a pre-shared key)
                                        {string}   Subject (optional, e.g. "CN=User,O=Org,OU=Unit").
                                            {string}   Subject alternative name (optional, e.g. "DNS:dns1.com,IP:192.168.1.99").
                                                {ip}   Source-IP for communications to the CMP server (optional).

To generate the default CA certificate used by SSL Inspection
execute vpn certificate local generate default-ssl-ca  Generate the default CA certificate used by SSL Inspection.

To generate the default untrusted CA certificate used by SSL Inspection
execute vpn certificate local generate default-ssl-ca-untrusted  Generate the default untrusted CA certificate used by SSL Inspection.

To generate the default RSA, DSA, and ECDSA certificate used by SSL Inspection
execute vpn certificate local generate default-ssl-key-certs  Generate the default RSA, DSA and ECDSA key certs for ssl resign.

To generate the default server key used by SSL Inspection
execute vpn certificate local generate default-ssl-serv-key  Generate the default server key used by SSL Inspection.

To generate an elliptical curve certificate request
execute vpn certificate local generate ec  Generate an elliptic curve certificate request.
        {string}   Local certificate name.
            {string}   Elliptic curve name: secp256r1, secp384r1 and secp521r1.
                {string}   Subject (Host IP/Domain Name/E-Mail).
                    {string}   Country name (e.g. Canada) or country code (e.g. ca).
                        {string}   State.
                            {string}   City.
                                {string}   Org.
                                    {string}   Unit(s); ',' as delimiter.
                                        {string}   Email.
                                            {string}   Subject alternative name (optional).
                                                {string}   URL of the CA server for signing via SCEP (optional).
                                                    {string}   Challenge password for signing via SCEP (optional).
                                                        {ip}   Source-IP for communications to the CA server (optional).
                                                            {string}   CA identifier of the CA server for signing via SCEP (optional).
                                                                {string}   Password for private-key (optional).

To generate an RSA certificate request
execute vpn certificate local generate rsa  Generate a RSA certificate request.
        {string}   Local certificate name.
            {number}   Key size: 1024, 1536, 2048, 4096.
                {string}   Subject (Host IP/Domain Name/E-Mail).
                    {string}   Country name (e.g. Canada) or country code (e.g. ca).
                        {string}   State.
                            {string}   City.
                                {string}   Org.
                                    {string}   Unit(s); ',' as delimiter.
                                        {string}   Email.
                                            {string}   Subject alternative name (optional).
                                                {string}   URL of the CA server for signing via SCEP (optional).
                                                    {string}   Challenge password for signing via SCEP (optional).
                                                        {ip}   Source-IP for communications to the CA server (optional).
                                                            {string}   CA identifier of the CA server for signing via SCEP (optional).
                                                                {string}   Password for private-key (optional).

Certificate name

Enter a name for the certificate. The name can contain numbers (0-9), uppercase and lowercase letters (A‑Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.

Elliptic curve name

Enter the elliptic curve name: secp256rl, secp384rl, or secp521rl.

Key Length

Enter 1024, 1536 or 2048 for the size in bits of the encryption key.

Subject

Enter the FortiGate unit host IP address, its fully qualified domain name, or an email address to identify the FortiGate unit being certified.

An IP address or domain name is preferred. If this is impossible (such as with a dialup client), use an e-mail address.

If you specify a host IP or domain name, use the IP address or domain name associated with the interface on which IKE negotiations will take place (usually the external interface of the local FortiGate unit). If the IP address in the certificate does not match the IP address of this interface (or if the domain name in the certificate does not match a DNS query of the FortiGate unit’s IP), then some implementations of IKE may reject the connection. Enforcement of this rule varies for different IPSec products.

Optional Information

Enter optional information as required to further identify the certificate. You must enter the optional variables in order that they are listed below. To enter any optional variable you must enter all of the variables that come before it in the list. While entering optional variables, you can type ? for help on the next required variable.

Optional information variables
Variable Description
Country code Enter the two-character country code. Enter execute vpn certificates local generate <name_str> country followed by a ? for a list of country codes. The country code is case sensitive. Enter null if you do not want to specify a country.
State name Enter the name of the state or province where the FortiGate unit is located.
City name Enter the name of the city, or town, where the person or organization certifying the FortiGate unit resides.
Organization name Enter the name of the organization that is requesting the certificate for the FortiGate unit.
Organization unit name Enter a name that identifies the department or unit within the organization that is requesting the certificate for the FortiGate unit.
Email address Enter a contact e-mail address for the FortiGate unit.
CA server URL Enter the URL of the CA (SCEP) certificate server that allows auto-signing of the request.
Challenge password

Enter the challenge password for the SCEP certificate server.

Example

Use the following command to generate a local certificate request with the name branch_cert, the domain name www.example.com and a key size of 1536.

execute vpn certificate local generate branch_cert 1536 www.example.com