Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.2.1
Copy Link

VPN certificate setting.

  config vpn certificate setting
      Description: VPN certificate setting.
      set ocsp-status [enable|disable]
      set ocsp-option [certificate|server]
      set ocsp-default-server {string}
      set check-ca-cert [enable|disable]
      set check-ca-chain [enable|disable]
      set subject-match [substring|value]
      set cn-match [substring|value]
      set strict-crl-check [enable|disable]
      set strict-ocsp-check [enable|disable]
      set ssl-min-proto-version [default|SSLv3|...]
      set cmp-save-extra-certs [enable|disable]
      set certname-rsa1024 {string}
      set certname-rsa2048 {string}
      set certname-dsa1024 {string}
      set certname-dsa2048 {string}
      set certname-ecdsa256 {string}
      set certname-ecdsa384 {string}
  end

config vpn certificate setting

Parameter Name Description Type Size
ocsp-status Enable/disable receiving certificates using the OCSP.
enable: Enable setting.
disable: Disable setting.
option -
ocsp-option Specify whether the OCSP URL is from certificate or configured OCSP server.
certificate: Use URL from certificate.
server: Use URL from configured OCSP server.
option -
ocsp-default-server Default OCSP server. string Maximum length: 35
check-ca-cert Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted (default = enable).
enable: Enable verification of the user certificate.
disable: Disable verification of the user certificate.
option -
check-ca-chain Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted (default = disable).
enable: Enable verification of the entire certificate chain.
disable: Disable verification of the entire certificate chain.
option -
subject-match When searching for a matching certificate, control how to find matches in the certificate subject name.
substring: Find a match if any string in the certificate subject name matches the name being searched for.
value: Find a match if any attribute value string in a certificate subject name is an exact match with the name being searched for.
option -
cn-match When searching for a matching certificate, control how to find matches in the cn attribute of the certificate subject name.
substring: Find a match if any string in a certificate subject name cn attribute name matches the name being searched for.
value: Find a match if the cn attribute value string is an exact match with the name being searched for.
option -
strict-crl-check Enable/disable strict mode CRL checking.
enable: Enable strict mode CRL checking.
disable: Disable strict mode CRL checking.
option -
strict-ocsp-check Enable/disable strict mode OCSP checking.
enable: Enable strict mode OCSP checking.
disable: Disable strict mode OCSP checking.
option -
ssl-min-proto-version Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).
default: Follow system global setting.
SSLv3: SSLv3.
TLSv1: TLSv1.
TLSv1-1: TLSv1.1.
TLSv1-2: TLSv1.2.
option -
cmp-save-extra-certs Enable/disable saving extra certificates in CMP mode.
enable: Enable saving extra certificates in CMP mode.
disable: Disable saving extra certificates in CMP mode.
option -
certname-rsa1024 1024 bit RSA key certificate for re-signing server certificates for SSL inspection. string Maximum length: 35
certname-rsa2048 2048 bit RSA key certificate for re-signing server certificates for SSL inspection. string Maximum length: 35
certname-dsa1024 1024 bit DSA key certificate for re-signing server certificates for SSL inspection. string Maximum length: 35
certname-dsa2048 2048 bit DSA key certificate for re-signing server certificates for SSL inspection. string Maximum length: 35
certname-ecdsa256 256 bit ECDSA key certificate for re-signing server certificates for SSL inspection. string Maximum length: 35
certname-ecdsa384 384 bit ECDSA key certificate for re-signing server certificates for SSL inspection. string Maximum length: 35

VPN certificate setting.

  config vpn certificate setting
      Description: VPN certificate setting.
      set ocsp-status [enable|disable]
      set ocsp-option [certificate|server]
      set ocsp-default-server {string}
      set check-ca-cert [enable|disable]
      set check-ca-chain [enable|disable]
      set subject-match [substring|value]
      set cn-match [substring|value]
      set strict-crl-check [enable|disable]
      set strict-ocsp-check [enable|disable]
      set ssl-min-proto-version [default|SSLv3|...]
      set cmp-save-extra-certs [enable|disable]
      set certname-rsa1024 {string}
      set certname-rsa2048 {string}
      set certname-dsa1024 {string}
      set certname-dsa2048 {string}
      set certname-ecdsa256 {string}
      set certname-ecdsa384 {string}
  end

config vpn certificate setting

Parameter Name Description Type Size
ocsp-status Enable/disable receiving certificates using the OCSP.
enable: Enable setting.
disable: Disable setting.
option -
ocsp-option Specify whether the OCSP URL is from certificate or configured OCSP server.
certificate: Use URL from certificate.
server: Use URL from configured OCSP server.
option -
ocsp-default-server Default OCSP server. string Maximum length: 35
check-ca-cert Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted (default = enable).
enable: Enable verification of the user certificate.
disable: Disable verification of the user certificate.
option -
check-ca-chain Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted (default = disable).
enable: Enable verification of the entire certificate chain.
disable: Disable verification of the entire certificate chain.
option -
subject-match When searching for a matching certificate, control how to find matches in the certificate subject name.
substring: Find a match if any string in the certificate subject name matches the name being searched for.
value: Find a match if any attribute value string in a certificate subject name is an exact match with the name being searched for.
option -
cn-match When searching for a matching certificate, control how to find matches in the cn attribute of the certificate subject name.
substring: Find a match if any string in a certificate subject name cn attribute name matches the name being searched for.
value: Find a match if the cn attribute value string is an exact match with the name being searched for.
option -
strict-crl-check Enable/disable strict mode CRL checking.
enable: Enable strict mode CRL checking.
disable: Disable strict mode CRL checking.
option -
strict-ocsp-check Enable/disable strict mode OCSP checking.
enable: Enable strict mode OCSP checking.
disable: Disable strict mode OCSP checking.
option -
ssl-min-proto-version Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).
default: Follow system global setting.
SSLv3: SSLv3.
TLSv1: TLSv1.
TLSv1-1: TLSv1.1.
TLSv1-2: TLSv1.2.
option -
cmp-save-extra-certs Enable/disable saving extra certificates in CMP mode.
enable: Enable saving extra certificates in CMP mode.
disable: Disable saving extra certificates in CMP mode.
option -
certname-rsa1024 1024 bit RSA key certificate for re-signing server certificates for SSL inspection. string Maximum length: 35
certname-rsa2048 2048 bit RSA key certificate for re-signing server certificates for SSL inspection. string Maximum length: 35
certname-dsa1024 1024 bit DSA key certificate for re-signing server certificates for SSL inspection. string Maximum length: 35
certname-dsa2048 2048 bit DSA key certificate for re-signing server certificates for SSL inspection. string Maximum length: 35
certname-ecdsa256 256 bit ECDSA key certificate for re-signing server certificates for SSL inspection. string Maximum length: 35
certname-ecdsa384 384 bit ECDSA key certificate for re-signing server certificates for SSL inspection. string Maximum length: 35