config vpn certificate setting
Description: VPN certificate setting.
set ocsp-status [enable|disable]
set ocsp-option [certificate|server]
set ocsp-default-server {string}
set check-ca-cert [enable|disable]
set check-ca-chain [enable|disable]
set subject-match [substring|value]
set cn-match [substring|value]
set strict-crl-check [enable|disable]
set strict-ocsp-check [enable|disable]
set ssl-min-proto-version [default|SSLv3|...]
set cmp-save-extra-certs [enable|disable]
set certname-rsa1024 {string}
set certname-rsa2048 {string}
set certname-dsa1024 {string}
set certname-dsa2048 {string}
set certname-ecdsa256 {string}
set certname-ecdsa384 {string}
end
Parameter Name | Description | Type | Size |
---|---|---|---|
ocsp-status | Enable/disable receiving certificates using the OCSP. enable: Enable setting. disable: Disable setting. |
option | - |
ocsp-option | Specify whether the OCSP URL is from certificate or configured OCSP server. certificate: Use URL from certificate. server: Use URL from configured OCSP server. |
option | - |
ocsp-default-server | Default OCSP server. | string | Maximum length: 35 |
check-ca-cert | Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted (default = enable). enable: Enable verification of the user certificate. disable: Disable verification of the user certificate. |
option | - |
check-ca-chain | Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted (default = disable). enable: Enable verification of the entire certificate chain. disable: Disable verification of the entire certificate chain. |
option | - |
subject-match | When searching for a matching certificate, control how to find matches in the certificate subject name. substring: Find a match if any string in the certificate subject name matches the name being searched for. value: Find a match if any attribute value string in a certificate subject name is an exact match with the name being searched for. |
option | - |
cn-match | When searching for a matching certificate, control how to find matches in the cn attribute of the certificate subject name. substring: Find a match if any string in a certificate subject name cn attribute name matches the name being searched for. value: Find a match if the cn attribute value string is an exact match with the name being searched for. |
option | - |
strict-crl-check | Enable/disable strict mode CRL checking. enable: Enable strict mode CRL checking. disable: Disable strict mode CRL checking. |
option | - |
strict-ocsp-check | Enable/disable strict mode OCSP checking. enable: Enable strict mode OCSP checking. disable: Disable strict mode OCSP checking. |
option | - |
ssl-min-proto-version | Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting). default: Follow system global setting. SSLv3: SSLv3. TLSv1: TLSv1. TLSv1-1: TLSv1.1. TLSv1-2: TLSv1.2. |
option | - |
cmp-save-extra-certs | Enable/disable saving extra certificates in CMP mode. enable: Enable saving extra certificates in CMP mode. disable: Disable saving extra certificates in CMP mode. |
option | - |
certname-rsa1024 | 1024 bit RSA key certificate for re-signing server certificates for SSL inspection. | string | Maximum length: 35 |
certname-rsa2048 | 2048 bit RSA key certificate for re-signing server certificates for SSL inspection. | string | Maximum length: 35 |
certname-dsa1024 | 1024 bit DSA key certificate for re-signing server certificates for SSL inspection. | string | Maximum length: 35 |
certname-dsa2048 | 2048 bit DSA key certificate for re-signing server certificates for SSL inspection. | string | Maximum length: 35 |
certname-ecdsa256 | 256 bit ECDSA key certificate for re-signing server certificates for SSL inspection. | string | Maximum length: 35 |
certname-ecdsa384 | 384 bit ECDSA key certificate for re-signing server certificates for SSL inspection. | string | Maximum length: 35 |
config vpn certificate setting
Description: VPN certificate setting.
set ocsp-status [enable|disable]
set ocsp-option [certificate|server]
set ocsp-default-server {string}
set check-ca-cert [enable|disable]
set check-ca-chain [enable|disable]
set subject-match [substring|value]
set cn-match [substring|value]
set strict-crl-check [enable|disable]
set strict-ocsp-check [enable|disable]
set ssl-min-proto-version [default|SSLv3|...]
set cmp-save-extra-certs [enable|disable]
set certname-rsa1024 {string}
set certname-rsa2048 {string}
set certname-dsa1024 {string}
set certname-dsa2048 {string}
set certname-ecdsa256 {string}
set certname-ecdsa384 {string}
end
Parameter Name | Description | Type | Size |
---|---|---|---|
ocsp-status | Enable/disable receiving certificates using the OCSP. enable: Enable setting. disable: Disable setting. |
option | - |
ocsp-option | Specify whether the OCSP URL is from certificate or configured OCSP server. certificate: Use URL from certificate. server: Use URL from configured OCSP server. |
option | - |
ocsp-default-server | Default OCSP server. | string | Maximum length: 35 |
check-ca-cert | Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted (default = enable). enable: Enable verification of the user certificate. disable: Disable verification of the user certificate. |
option | - |
check-ca-chain | Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted (default = disable). enable: Enable verification of the entire certificate chain. disable: Disable verification of the entire certificate chain. |
option | - |
subject-match | When searching for a matching certificate, control how to find matches in the certificate subject name. substring: Find a match if any string in the certificate subject name matches the name being searched for. value: Find a match if any attribute value string in a certificate subject name is an exact match with the name being searched for. |
option | - |
cn-match | When searching for a matching certificate, control how to find matches in the cn attribute of the certificate subject name. substring: Find a match if any string in a certificate subject name cn attribute name matches the name being searched for. value: Find a match if the cn attribute value string is an exact match with the name being searched for. |
option | - |
strict-crl-check | Enable/disable strict mode CRL checking. enable: Enable strict mode CRL checking. disable: Disable strict mode CRL checking. |
option | - |
strict-ocsp-check | Enable/disable strict mode OCSP checking. enable: Enable strict mode OCSP checking. disable: Disable strict mode OCSP checking. |
option | - |
ssl-min-proto-version | Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting). default: Follow system global setting. SSLv3: SSLv3. TLSv1: TLSv1. TLSv1-1: TLSv1.1. TLSv1-2: TLSv1.2. |
option | - |
cmp-save-extra-certs | Enable/disable saving extra certificates in CMP mode. enable: Enable saving extra certificates in CMP mode. disable: Disable saving extra certificates in CMP mode. |
option | - |
certname-rsa1024 | 1024 bit RSA key certificate for re-signing server certificates for SSL inspection. | string | Maximum length: 35 |
certname-rsa2048 | 2048 bit RSA key certificate for re-signing server certificates for SSL inspection. | string | Maximum length: 35 |
certname-dsa1024 | 1024 bit DSA key certificate for re-signing server certificates for SSL inspection. | string | Maximum length: 35 |
certname-dsa2048 | 2048 bit DSA key certificate for re-signing server certificates for SSL inspection. | string | Maximum length: 35 |
certname-ecdsa256 | 256 bit ECDSA key certificate for re-signing server certificates for SSL inspection. | string | Maximum length: 35 |
certname-ecdsa384 | 384 bit ECDSA key certificate for re-signing server certificates for SSL inspection. | string | Maximum length: 35 |