Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config vpn certificate setting

VPN certificate setting.

config vpn certificate setting

Description: VPN certificate setting.

set ocsp-status [enable|disable]

set ocsp-option [certificate|server]

set ssl-ocsp-source-ip {ipv4-address}

set ocsp-default-server {string}

set interface-select-method [auto|sdwan|...]

set interface {string}

set check-ca-cert [enable|disable]

set check-ca-chain [enable|disable]

set subject-match [substring|value]

set cn-match [substring|value]

set strict-crl-check [enable|disable]

set strict-ocsp-check [enable|disable]

set ssl-min-proto-version [default|SSLv3|...]

set cmp-save-extra-certs [enable|disable]

set cmp-key-usage-checking [enable|disable]

set certname-rsa1024 {string}

set certname-rsa2048 {string}

set certname-rsa4096 {string}

set certname-dsa1024 {string}

set certname-dsa2048 {string}

set certname-ecdsa256 {string}

set certname-ecdsa384 {string}

set certname-ecdsa521 {string}

set certname-ed25519 {string}

set certname-ed448 {string}

end

config vpn certificate setting

Parameter

Description

Type

Size

Default

ocsp-status

Enable/disable receiving certificates using the OCSP.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ocsp-option

Specify whether the OCSP URL is from certificate or configured OCSP server.

option

-

server

 

Option

Description

certificate

Use URL from certificate.

server

Use URL from configured OCSP server.

ssl-ocsp-source-ip

Source IP address to use to communicate with the OCSP server.

ipv4-address

Not Specified

0.0.0.0

ocsp-default-server

Default OCSP server.

string

Maximum length: 35

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

 

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

check-ca-cert

Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted (default = enable).

option

-

enable

 

Option

Description

enable

Enable verification of the user certificate.

disable

Disable verification of the user certificate.

check-ca-chain

Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted (default = disable).

option

-

disable

 

Option

Description

enable

Enable verification of the entire certificate chain.

disable

Disable verification of the entire certificate chain.

subject-match

When searching for a matching certificate, control how to find matches in the certificate subject name.

option

-

substring

 

Option

Description

substring

Find a match if any string in the certificate subject name matches the name being searched for.

value

Find a match if any attribute value string in a certificate subject name is an exact match with the name being searched for.

cn-match

When searching for a matching certificate, control how to find matches in the cn attribute of the certificate subject name.

option

-

substring

 

Option

Description

substring

Find a match if any string in a certificate subject name cn attribute name matches the name being searched for.

value

Find a match if the cn attribute value string is an exact match with the name being searched for.

strict-crl-check

Enable/disable strict mode CRL checking.

option

-

disable

 

Option

Description

enable

Enable strict mode CRL checking.

disable

Disable strict mode CRL checking.

strict-ocsp-check

Enable/disable strict mode OCSP checking.

option

-

disable

 

Option

Description

enable

Enable strict mode OCSP checking.

disable

Disable strict mode OCSP checking.

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).

option

-

default

 

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

cmp-save-extra-certs

Enable/disable saving extra certificates in CMP mode (default = disable).

option

-

disable

 

Option

Description

enable

Enable saving extra certificates in CMP mode.

disable

Disable saving extra certificates in CMP mode.

cmp-key-usage-checking

Enable/disable server certificate key usage checking in CMP mode (default = enable).

option

-

enable

 

Option

Description

enable

Enable server certificate key usage checking in CMP mode.

disable

Disable server certificate key usage checking in CMP mode.

certname-rsa1024

1024 bit RSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_RSA1024

certname-rsa2048

2048 bit RSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_RSA2048

certname-rsa4096

4096 bit RSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_RSA4096

certname-dsa1024

1024 bit DSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_DSA1024

certname-dsa2048

2048 bit DSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_DSA2048

certname-ecdsa256

256 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ECDSA256

certname-ecdsa384

384 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ECDSA384

certname-ecdsa521

521 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ECDSA521

certname-ed25519

253 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ED25519

certname-ed448

456 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ED448

config vpn certificate setting

VPN certificate setting.

config vpn certificate setting

Description: VPN certificate setting.

set ocsp-status [enable|disable]

set ocsp-option [certificate|server]

set ssl-ocsp-source-ip {ipv4-address}

set ocsp-default-server {string}

set interface-select-method [auto|sdwan|...]

set interface {string}

set check-ca-cert [enable|disable]

set check-ca-chain [enable|disable]

set subject-match [substring|value]

set cn-match [substring|value]

set strict-crl-check [enable|disable]

set strict-ocsp-check [enable|disable]

set ssl-min-proto-version [default|SSLv3|...]

set cmp-save-extra-certs [enable|disable]

set cmp-key-usage-checking [enable|disable]

set certname-rsa1024 {string}

set certname-rsa2048 {string}

set certname-rsa4096 {string}

set certname-dsa1024 {string}

set certname-dsa2048 {string}

set certname-ecdsa256 {string}

set certname-ecdsa384 {string}

set certname-ecdsa521 {string}

set certname-ed25519 {string}

set certname-ed448 {string}

end

config vpn certificate setting

Parameter

Description

Type

Size

Default

ocsp-status

Enable/disable receiving certificates using the OCSP.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ocsp-option

Specify whether the OCSP URL is from certificate or configured OCSP server.

option

-

server

 

Option

Description

certificate

Use URL from certificate.

server

Use URL from configured OCSP server.

ssl-ocsp-source-ip

Source IP address to use to communicate with the OCSP server.

ipv4-address

Not Specified

0.0.0.0

ocsp-default-server

Default OCSP server.

string

Maximum length: 35

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

 

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

check-ca-cert

Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted (default = enable).

option

-

enable

 

Option

Description

enable

Enable verification of the user certificate.

disable

Disable verification of the user certificate.

check-ca-chain

Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted (default = disable).

option

-

disable

 

Option

Description

enable

Enable verification of the entire certificate chain.

disable

Disable verification of the entire certificate chain.

subject-match

When searching for a matching certificate, control how to find matches in the certificate subject name.

option

-

substring

 

Option

Description

substring

Find a match if any string in the certificate subject name matches the name being searched for.

value

Find a match if any attribute value string in a certificate subject name is an exact match with the name being searched for.

cn-match

When searching for a matching certificate, control how to find matches in the cn attribute of the certificate subject name.

option

-

substring

 

Option

Description

substring

Find a match if any string in a certificate subject name cn attribute name matches the name being searched for.

value

Find a match if the cn attribute value string is an exact match with the name being searched for.

strict-crl-check

Enable/disable strict mode CRL checking.

option

-

disable

 

Option

Description

enable

Enable strict mode CRL checking.

disable

Disable strict mode CRL checking.

strict-ocsp-check

Enable/disable strict mode OCSP checking.

option

-

disable

 

Option

Description

enable

Enable strict mode OCSP checking.

disable

Disable strict mode OCSP checking.

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).

option

-

default

 

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

cmp-save-extra-certs

Enable/disable saving extra certificates in CMP mode (default = disable).

option

-

disable

 

Option

Description

enable

Enable saving extra certificates in CMP mode.

disable

Disable saving extra certificates in CMP mode.

cmp-key-usage-checking

Enable/disable server certificate key usage checking in CMP mode (default = enable).

option

-

enable

 

Option

Description

enable

Enable server certificate key usage checking in CMP mode.

disable

Disable server certificate key usage checking in CMP mode.

certname-rsa1024

1024 bit RSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_RSA1024

certname-rsa2048

2048 bit RSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_RSA2048

certname-rsa4096

4096 bit RSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_RSA4096

certname-dsa1024

1024 bit DSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_DSA1024

certname-dsa2048

2048 bit DSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_DSA2048

certname-ecdsa256

256 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ECDSA256

certname-ecdsa384

384 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ECDSA384

certname-ecdsa521

521 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ECDSA521

certname-ed25519

253 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ED25519

certname-ed448

456 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ED448