Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    6.0.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    certificate crl

    certificate crl

    Note: The following command is only available when VDOMs are enabled.

    Use this command to install a Certificate Revocation List (CRL) for this VDOM. When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the signed local certificate and the CRL.

    History

    The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.5.

    Command Description

    set source {factory | user | bundle}

    The fortiguard option has been removed

    		 
    config certificate crl
    edit {name}
    # Certificate Revocation List as a PEM file.
        set name {string}   Name. size[35]
        set crl {string}   Certificate Revocation List as a PEM file.
        set range {global | vdom}   Either global or VDOM IP address range for the certificate.
                global  Global range.
                vdom    VDOM IP address range.
        set source {factory | user | bundle}   Certificate source type.
                factory  Factory installed certificate.
                user     User generated certificate.
                bundle   Bundle file certificate.
        set update-vdom {string}   VDOM for CRL update. size[31] - datasource(s): system.vdom.name
        set ldap-server {string}   LDAP server name for CRL auto-update. size[35]
        set ldap-username {string}   LDAP server user name. size[63]
        set ldap-password {password_string}   LDAP server user password. size[128]
        set http-url {string}   HTTP server URL for CRL auto-update. size[255]
        set scep-url {string}   SCEP server URL for CRL auto-update. size[255]
        set scep-cert {string}   Local certificate for SCEP communication for CRL auto-update. size[35] - datasource(s): certificate.local.name
        set update-interval {integer}   Time in seconds before the FortiGate checks for an updated CRL. Set to 0 to update only when it expires. range[0-4294967295]
        set source-ip {ipv4 address}   Source IP address for communications to a HTTP or SCEP CA server.
        set last-updated {integer}   Time at which CRL was last updated. range[0-4294967295]
    next
end

    Additional information

    The following section is for those options that require additional explanation.

    crl <pem-file>

    The name of the CRL in Privacy Enhanced Mail (PEM) format.

    http-url <url>

    URL of an HTTP server used for automatic CRL certificate updates. The URL must begin with either http:// or https://.

    last-updated <days>

    Note: This entry is only available when a crl has been set.

    Amount of time in days since the CRL was last updated.

    ldap-password <password>

    Note: This entry is only available when ldap-server has been set. LDAP login password.

    ldap-server <name>

    Name of the LDAP server defined in config user ldap for CRL auto-update.

    ldap-username <name>

    Note: This entry is only available when ldap-server has been set. LDAP login name.

    range {global | vdom}

    Either global (by default) or vdom IP address range for the certificate.

    scep-cert <cert>

    Local certificate used for SCEP communication for CRL auto-update. If a certificate hasn't already been set, the default certificate used is Fortinet_CA_SSL.

    scep-url <url>

    URL of the SCEP server used for automatic CRL certificate updates. The URL must begin with either http:// or https://.

    source {factory | user | bundle}

    CA certificate source:

    • factory: Default certificate that came with the FortiGate
    • user: User certificate (set by default)
    • bundle: Certificate from a bundle file

    source-ip <ipv4-address>

    IPv4 address used to verify that the request is sent from an expected IP.

    update-interval <interval>

    Period of time in seconds before the FortiGate unit checks for an updated CRL. Enter 0 (by default) to update the CRL only when it expires.

    update-vdom <vdom>

    Name of the VDOM for CRL update. This is set to the root VDOM by default.

    Previous
    Next

    certificate crl

    certificate crl

    Note: The following command is only available when VDOMs are enabled.

    Use this command to install a Certificate Revocation List (CRL) for this VDOM. When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the signed local certificate and the CRL.

    History

    The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.5.

    Command Description

    set source {factory | user | bundle}

    The fortiguard option has been removed

    		 
    config certificate crl
    edit {name}
    # Certificate Revocation List as a PEM file.
        set name {string}   Name. size[35]
        set crl {string}   Certificate Revocation List as a PEM file.
        set range {global | vdom}   Either global or VDOM IP address range for the certificate.
                global  Global range.
                vdom    VDOM IP address range.
        set source {factory | user | bundle}   Certificate source type.
                factory  Factory installed certificate.
                user     User generated certificate.
                bundle   Bundle file certificate.
        set update-vdom {string}   VDOM for CRL update. size[31] - datasource(s): system.vdom.name
        set ldap-server {string}   LDAP server name for CRL auto-update. size[35]
        set ldap-username {string}   LDAP server user name. size[63]
        set ldap-password {password_string}   LDAP server user password. size[128]
        set http-url {string}   HTTP server URL for CRL auto-update. size[255]
        set scep-url {string}   SCEP server URL for CRL auto-update. size[255]
        set scep-cert {string}   Local certificate for SCEP communication for CRL auto-update. size[35] - datasource(s): certificate.local.name
        set update-interval {integer}   Time in seconds before the FortiGate checks for an updated CRL. Set to 0 to update only when it expires. range[0-4294967295]
        set source-ip {ipv4 address}   Source IP address for communications to a HTTP or SCEP CA server.
        set last-updated {integer}   Time at which CRL was last updated. range[0-4294967295]
    next
end

    Additional information

    The following section is for those options that require additional explanation.

    crl <pem-file>

    The name of the CRL in Privacy Enhanced Mail (PEM) format.

    http-url <url>

    URL of an HTTP server used for automatic CRL certificate updates. The URL must begin with either http:// or https://.

    last-updated <days>

    Note: This entry is only available when a crl has been set.

    Amount of time in days since the CRL was last updated.

    ldap-password <password>

    Note: This entry is only available when ldap-server has been set. LDAP login password.

    ldap-server <name>

    Name of the LDAP server defined in config user ldap for CRL auto-update.

    ldap-username <name>

    Note: This entry is only available when ldap-server has been set. LDAP login name.

    range {global | vdom}

    Either global (by default) or vdom IP address range for the certificate.

    scep-cert <cert>

    Local certificate used for SCEP communication for CRL auto-update. If a certificate hasn't already been set, the default certificate used is Fortinet_CA_SSL.

    scep-url <url>

    URL of the SCEP server used for automatic CRL certificate updates. The URL must begin with either http:// or https://.

    source {factory | user | bundle}

    CA certificate source:

    • factory: Default certificate that came with the FortiGate
    • user: User certificate (set by default)
    • bundle: Certificate from a bundle file

    source-ip <ipv4-address>

    IPv4 address used to verify that the request is sent from an expected IP.

    update-interval <interval>

    Period of time in seconds before the FortiGate unit checks for an updated CRL. Enter 0 (by default) to update the CRL only when it expires.

    update-vdom <vdom>

    Name of the VDOM for CRL update. This is set to the root VDOM by default.

    Previous
    Next