Fortinet black logo

CLI Reference

Home FortiGate / FortiOS 6.0.0 CLI Reference

vpn certificate ca

6.0.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.0.0
5.6.0
5.4.0
5.2.0
5.0.0
Copy Link
Copy Doc ID c287b6bf-a995-11e9-81a4-00505692583a:731356
Download PDF

vpn certificate ca

Use this command to install Certificate Authority (CA) root certificates. When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the signed local certificate and the CRL.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.5.

Command Description

set source {factory | user | bundle}

The fortiguard option has been removed

 
config vpn certificate ca
    edit {name}
    # CA certificate.
        set name {string}   Name. size[79]
        set ca {string}   CA certificate as a PEM file.
        set range {global | vdom}   Either global or VDOM IP address range for the CA certificate.
                global  Global range.
                vdom    VDOM IP address range.
        set source {factory | user | bundle}   CA certificate source type.
                factory  Factory installed certificate.
                user     User generated certificate.
                bundle   Bundle file certificate.
        set trusted {enable | disable}   Enable/disable as a trusted CA.
        set scep-url {string}   URL of the SCEP server. size[255]
        set auto-update-days {integer}   Number of days to wait before requesting an updated CA certificate (0 - 4294967295, 0 = disabled). range[0-4294967295]
        set auto-update-days-warning {integer}   Number of days before an expiry-warning message is generated (0 - 4294967295, 0 = disabled). range[0-4294967295]
        set source-ip {ipv4 address}   Source IP address for communications to the SCEP server.
        set last-updated {integer}   Time at which CA was last updated. range[0-4294967295]
    next
end

Additional information

The following section is for those options that require additional explanation.

auto-update-days <days>

Note: This entry is only available when scep-url has been set.

Enter how many days before expiry the FortiGate requests an updated CA certificate. Set to 0 (by default) for no auto-update.

For example, if the certificate is expiring in a year and you want to use SCEP to request a new certificate five days before it expires, the value should be 5.

auto-update-days-warning <days>

Note: This entry is only available when scep-url has been set.

Enter how many days before expiry the FortiGate sends a warning about updating a CA certificate. Set to 0 (by default) for no warning.

For example, if the certificate is expiring in a year and you want to get a warning five days before it expires, the value should be 5.

ca <cert>

Enter or retrieve the CA certificate as a Privacy Enhanced Mail (PEM) file.

last-updated <days>

Note: This entry is only available when a ca has been set.

Amount of time in days since the CA was last updated.

range {global | vdom}

Either global (by default) or vdom IP address range for the CA certificate.

scep-url <url>

URL of the Simple Certificate Enrollment Protocol (SCEP) server.

source {factory | user | bundle}

CA certificate source.

  • factory: Default certificate that came with the FortiGate
  • user: User certificate (set by default)
  • bundle: Certificate from a bundle file

source-ip <ipv4-address>

IPv4 address used to verify that the request is sent from an expected IP.

trusted {enable | disable}

Enable (by default) or disable as a trusted CA.

Previous
Next

vpn certificate ca

Use this command to install Certificate Authority (CA) root certificates. When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the signed local certificate and the CRL.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.5.

Command Description

set source {factory | user | bundle}

The fortiguard option has been removed

 
config vpn certificate ca
    edit {name}
    # CA certificate.
        set name {string}   Name. size[79]
        set ca {string}   CA certificate as a PEM file.
        set range {global | vdom}   Either global or VDOM IP address range for the CA certificate.
                global  Global range.
                vdom    VDOM IP address range.
        set source {factory | user | bundle}   CA certificate source type.
                factory  Factory installed certificate.
                user     User generated certificate.
                bundle   Bundle file certificate.
        set trusted {enable | disable}   Enable/disable as a trusted CA.
        set scep-url {string}   URL of the SCEP server. size[255]
        set auto-update-days {integer}   Number of days to wait before requesting an updated CA certificate (0 - 4294967295, 0 = disabled). range[0-4294967295]
        set auto-update-days-warning {integer}   Number of days before an expiry-warning message is generated (0 - 4294967295, 0 = disabled). range[0-4294967295]
        set source-ip {ipv4 address}   Source IP address for communications to the SCEP server.
        set last-updated {integer}   Time at which CA was last updated. range[0-4294967295]
    next
end

Additional information

The following section is for those options that require additional explanation.

auto-update-days <days>

Note: This entry is only available when scep-url has been set.

Enter how many days before expiry the FortiGate requests an updated CA certificate. Set to 0 (by default) for no auto-update.

For example, if the certificate is expiring in a year and you want to use SCEP to request a new certificate five days before it expires, the value should be 5.

auto-update-days-warning <days>

Note: This entry is only available when scep-url has been set.

Enter how many days before expiry the FortiGate sends a warning about updating a CA certificate. Set to 0 (by default) for no warning.

For example, if the certificate is expiring in a year and you want to get a warning five days before it expires, the value should be 5.

ca <cert>

Enter or retrieve the CA certificate as a Privacy Enhanced Mail (PEM) file.

last-updated <days>

Note: This entry is only available when a ca has been set.

Amount of time in days since the CA was last updated.

range {global | vdom}

Either global (by default) or vdom IP address range for the CA certificate.

scep-url <url>

URL of the Simple Certificate Enrollment Protocol (SCEP) server.

source {factory | user | bundle}

CA certificate source.

  • factory: Default certificate that came with the FortiGate
  • user: User certificate (set by default)
  • bundle: Certificate from a bundle file

source-ip <ipv4-address>

IPv4 address used to verify that the request is sent from an expected IP.

trusted {enable | disable}

Enable (by default) or disable as a trusted CA.

Previous
Next