vpn certificate ca
Use this command to install Certificate Authority (CA) root certificates. When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the signed local certificate and the CRL.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.5.
Command | Description |
---|---|
set source {factory | user | bundle} |
The |
config vpn certificate ca edit {name} # CA certificate. set name {string} Name. size[79] set ca {string} CA certificate as a PEM file. set range {global | vdom} Either global or VDOM IP address range for the CA certificate. global Global range. vdom VDOM IP address range. set source {factory | user | bundle} CA certificate source type. factory Factory installed certificate. user User generated certificate. bundle Bundle file certificate. set trusted {enable | disable} Enable/disable as a trusted CA. set scep-url {string} URL of the SCEP server. size[255] set auto-update-days {integer} Number of days to wait before requesting an updated CA certificate (0 - 4294967295, 0 = disabled). range[0-4294967295] set auto-update-days-warning {integer} Number of days before an expiry-warning message is generated (0 - 4294967295, 0 = disabled). range[0-4294967295] set source-ip {ipv4 address} Source IP address for communications to the SCEP server. set last-updated {integer} Time at which CA was last updated. range[0-4294967295] next end
Additional information
The following section is for those options that require additional explanation.
auto-update-days <days>
Note: This entry is only available when scep-url
has been set.
Enter how many days before expiry the FortiGate requests an updated CA certificate. Set to 0
(by default) for no auto-update.
For example, if the certificate is expiring in a year and you want to use SCEP to request a new certificate five days before it expires, the value should be 5.
auto-update-days-warning <days>
Note: This entry is only available when scep-url
has been set.
Enter how many days before expiry the FortiGate sends a warning about updating a CA certificate. Set to 0
(by default) for no warning.
For example, if the certificate is expiring in a year and you want to get a warning five days before it expires, the value should be 5.
ca <cert>
Enter or retrieve the CA certificate as a Privacy Enhanced Mail (PEM) file.
last-updated <days>
Note: This entry is only available when a ca
has been set.
Amount of time in days since the CA was last updated.
range {global | vdom}
Either global
(by default) or vdom
IP address range for the CA certificate.
scep-url <url>
URL of the Simple Certificate Enrollment Protocol (SCEP) server.
source {factory | user | bundle}
CA certificate source.
- factory: Default certificate that came with the FortiGate
- user: User certificate (set by default)
- bundle: Certificate from a bundle file
source-ip <ipv4-address>
IPv4 address used to verify that the request is sent from an expected IP.
trusted {enable | disable}
Enable (by default) or disable as a trusted CA.