Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config vpn certificate setting

VPN certificate setting.

config vpn certificate setting

Description: VPN certificate setting.

set ocsp-status [enable|disable]

set ocsp-option [certificate|server]

set ssl-ocsp-source-ip {ipv4-address}

set ocsp-default-server {string}

set interface-select-method [auto|sdwan|...]

set interface {string}

set check-ca-cert [enable|disable]

set check-ca-chain [enable|disable]

set subject-match [substring|value]

set subject-set [subset|superset]

set cn-match [substring|value]

set cn-allow-multi [disable|enable]

config crl-verification

Description: CRL verification options.

set expiry [ignore|revoke]

set leaf-crl-absence [ignore|revoke]

set chain-crl-absence [ignore|revoke]

end

set strict-ocsp-check [enable|disable]

set ssl-min-proto-version [default|SSLv3|...]

set cmp-save-extra-certs [enable|disable]

set cmp-key-usage-checking [enable|disable]

set certname-rsa1024 {string}

set certname-rsa2048 {string}

set certname-rsa4096 {string}

set certname-dsa1024 {string}

set certname-dsa2048 {string}

set certname-ecdsa256 {string}

set certname-ecdsa384 {string}

set certname-ecdsa521 {string}

set certname-ed25519 {string}

set certname-ed448 {string}

end

config vpn certificate setting

Parameter

Description

Type

Size

Default

ocsp-status

Enable/disable receiving certificates using the OCSP.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ocsp-option

Specify whether the OCSP URL is from certificate or configured OCSP server.

option

-

server

 

Option

Description

certificate

Use URL from certificate.

server

Use URL from configured OCSP server.

ssl-ocsp-source-ip

Source IP address to use to communicate with the OCSP server.

ipv4-address

Not Specified

0.0.0.0

ocsp-default-server

Default OCSP server.

string

Maximum length: 35

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

 

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

check-ca-cert

Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted .

option

-

enable

 

Option

Description

enable

Enable verification of the user certificate.

disable

Disable verification of the user certificate.

check-ca-chain

Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted .

option

-

disable

 

Option

Description

enable

Enable verification of the entire certificate chain.

disable

Disable verification of the entire certificate chain.

subject-match

When searching for a matching certificate, control how to do RDN value matching with certificate subject name .

option

-

substring

 

Option

Description

substring

Find a match if the name being searched for is a part or the same as a certificate subject RDN.

value

Find a match if the name being searched for is same as a certificate subject RDN.

subject-set

When searching for a matching certificate, control how to do RDN set matching with certificate subject name .

option

-

subset

 

Option

Description

subset

Find a match if the name being searched for is a subset of a certificate subject.

superset

Find a match if the name being searched for is a superset of a certificate subject.

cn-match

When searching for a matching certificate, control how to do CN value matching with certificate subject name .

option

-

substring

 

Option

Description

substring

Find a match if the name being searched for is a part or the same as a certificate CN.

value

Find a match if the name being searched for is same as a certificate CN.

cn-allow-multi

When searching for a matching certificate, allow mutliple CN fields in certificate subject name .

option

-

enable

 

Option

Description

disable

Does not allow multiple CN entries in certificate matching.

enable

Allow multiple CN entries in certificate matching.

strict-ocsp-check

Enable/disable strict mode OCSP checking.

option

-

disable

 

Option

Description

enable

Enable strict mode OCSP checking.

disable

Disable strict mode OCSP checking.

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections .

option

-

default

 

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

cmp-save-extra-certs

Enable/disable saving extra certificates in CMP mode .

option

-

disable

 

Option

Description

enable

Enable saving extra certificates in CMP mode.

disable

Disable saving extra certificates in CMP mode.

cmp-key-usage-checking

Enable/disable server certificate key usage checking in CMP mode .

option

-

enable

 

Option

Description

enable

Enable server certificate key usage checking in CMP mode.

disable

Disable server certificate key usage checking in CMP mode.

certname-rsa1024

1024 bit RSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_RSA1024

certname-rsa2048

2048 bit RSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_RSA2048

certname-rsa4096

4096 bit RSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_RSA4096

certname-dsa1024

1024 bit DSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_DSA1024

certname-dsa2048

2048 bit DSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_DSA2048

certname-ecdsa256

256 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ECDSA256

certname-ecdsa384

384 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ECDSA384

certname-ecdsa521

521 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ECDSA521

certname-ed25519

253 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ED25519

certname-ed448

456 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ED448

config crl-verification

Parameter

Description

Type

Size

Default

expiry

CRL verification option when CRL is expired .

option

-

ignore

 

Option

Description

ignore

Certificate status will be verified even if CRL is expired.

revoke

Certificate will be revoked if CRL is expired.

leaf-crl-absence

CRL verification option when leaf CRL is absent .

option

-

ignore

 

Option

Description

ignore

CRL verification against leaf certificate is ignored if CRL is absent.

revoke

Certificate will be revoked if CRL of leaf certificate is absent.

chain-crl-absence

CRL verification option when CRL of any certificate in chain is absent .

option

-

ignore

 

Option

Description

ignore

CRL verification is ignored if CRL of any certificate in chain is absent.

revoke

Certificate will be revoked if CRL of any certificate in chain is absent.

config vpn certificate setting

VPN certificate setting.

config vpn certificate setting

Description: VPN certificate setting.

set ocsp-status [enable|disable]

set ocsp-option [certificate|server]

set ssl-ocsp-source-ip {ipv4-address}

set ocsp-default-server {string}

set interface-select-method [auto|sdwan|...]

set interface {string}

set check-ca-cert [enable|disable]

set check-ca-chain [enable|disable]

set subject-match [substring|value]

set subject-set [subset|superset]

set cn-match [substring|value]

set cn-allow-multi [disable|enable]

config crl-verification

Description: CRL verification options.

set expiry [ignore|revoke]

set leaf-crl-absence [ignore|revoke]

set chain-crl-absence [ignore|revoke]

end

set strict-ocsp-check [enable|disable]

set ssl-min-proto-version [default|SSLv3|...]

set cmp-save-extra-certs [enable|disable]

set cmp-key-usage-checking [enable|disable]

set certname-rsa1024 {string}

set certname-rsa2048 {string}

set certname-rsa4096 {string}

set certname-dsa1024 {string}

set certname-dsa2048 {string}

set certname-ecdsa256 {string}

set certname-ecdsa384 {string}

set certname-ecdsa521 {string}

set certname-ed25519 {string}

set certname-ed448 {string}

end

config vpn certificate setting

Parameter

Description

Type

Size

Default

ocsp-status

Enable/disable receiving certificates using the OCSP.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ocsp-option

Specify whether the OCSP URL is from certificate or configured OCSP server.

option

-

server

 

Option

Description

certificate

Use URL from certificate.

server

Use URL from configured OCSP server.

ssl-ocsp-source-ip

Source IP address to use to communicate with the OCSP server.

ipv4-address

Not Specified

0.0.0.0

ocsp-default-server

Default OCSP server.

string

Maximum length: 35

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

 

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

check-ca-cert

Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted .

option

-

enable

 

Option

Description

enable

Enable verification of the user certificate.

disable

Disable verification of the user certificate.

check-ca-chain

Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted .

option

-

disable

 

Option

Description

enable

Enable verification of the entire certificate chain.

disable

Disable verification of the entire certificate chain.

subject-match

When searching for a matching certificate, control how to do RDN value matching with certificate subject name .

option

-

substring

 

Option

Description

substring

Find a match if the name being searched for is a part or the same as a certificate subject RDN.

value

Find a match if the name being searched for is same as a certificate subject RDN.

subject-set

When searching for a matching certificate, control how to do RDN set matching with certificate subject name .

option

-

subset

 

Option

Description

subset

Find a match if the name being searched for is a subset of a certificate subject.

superset

Find a match if the name being searched for is a superset of a certificate subject.

cn-match

When searching for a matching certificate, control how to do CN value matching with certificate subject name .

option

-

substring

 

Option

Description

substring

Find a match if the name being searched for is a part or the same as a certificate CN.

value

Find a match if the name being searched for is same as a certificate CN.

cn-allow-multi

When searching for a matching certificate, allow mutliple CN fields in certificate subject name .

option

-

enable

 

Option

Description

disable

Does not allow multiple CN entries in certificate matching.

enable

Allow multiple CN entries in certificate matching.

strict-ocsp-check

Enable/disable strict mode OCSP checking.

option

-

disable

 

Option

Description

enable

Enable strict mode OCSP checking.

disable

Disable strict mode OCSP checking.

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections .

option

-

default

 

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

cmp-save-extra-certs

Enable/disable saving extra certificates in CMP mode .

option

-

disable

 

Option

Description

enable

Enable saving extra certificates in CMP mode.

disable

Disable saving extra certificates in CMP mode.

cmp-key-usage-checking

Enable/disable server certificate key usage checking in CMP mode .

option

-

enable

 

Option

Description

enable

Enable server certificate key usage checking in CMP mode.

disable

Disable server certificate key usage checking in CMP mode.

certname-rsa1024

1024 bit RSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_RSA1024

certname-rsa2048

2048 bit RSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_RSA2048

certname-rsa4096

4096 bit RSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_RSA4096

certname-dsa1024

1024 bit DSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_DSA1024

certname-dsa2048

2048 bit DSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_DSA2048

certname-ecdsa256

256 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ECDSA256

certname-ecdsa384

384 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ECDSA384

certname-ecdsa521

521 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ECDSA521

certname-ed25519

253 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ED25519

certname-ed448

456 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ED448

config crl-verification

Parameter

Description

Type

Size

Default

expiry

CRL verification option when CRL is expired .

option

-

ignore

 

Option

Description

ignore

Certificate status will be verified even if CRL is expired.

revoke

Certificate will be revoked if CRL is expired.

leaf-crl-absence

CRL verification option when leaf CRL is absent .

option

-

ignore

 

Option

Description

ignore

CRL verification against leaf certificate is ignored if CRL is absent.

revoke

Certificate will be revoked if CRL of leaf certificate is absent.

chain-crl-absence

CRL verification option when CRL of any certificate in chain is absent .

option

-

ignore

 

Option

Description

ignore

CRL verification is ignored if CRL of any certificate in chain is absent.

revoke

Certificate will be revoked if CRL of any certificate in chain is absent.