Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    7.6.2
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.16
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.17
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    config vpn certificate setting

    config vpn certificate setting

    VPN certificate setting.

    config vpn certificate setting
    Description: VPN certificate setting.
    set cert-expire-warning {integer}
    set certname-dsa1024 {string}
    set certname-dsa2048 {string}
    set certname-ecdsa256 {string}
    set certname-ecdsa384 {string}
    set certname-ecdsa521 {string}
    set certname-ed25519 {string}
    set certname-ed448 {string}
    set certname-rsa1024 {string}
    set certname-rsa2048 {string}
    set certname-rsa4096 {string}
    set check-ca-cert [enable|disable]
    set check-ca-chain [enable|disable]
    set cmp-key-usage-checking [enable|disable]
    set cmp-save-extra-certs [enable|disable]
    set cn-allow-multi [disable|enable]
    set cn-match [substring|value]
    config crl-verification
        Description: CRL verification options.
        set chain-crl-absence [ignore|revoke]
        set expiry [ignore|revoke]
        set leaf-crl-absence [ignore|revoke]
    end
    set interface {string}
    set interface-select-method [auto|sdwan|...]
    set ocsp-default-server {string}
    set ocsp-option [certificate|server]
    set ocsp-status [enable|mandatory|...]
    set proxy {string}
    set proxy-password {password}
    set proxy-port {integer}
    set proxy-username {string}
    set source-ip {string}
    set ssl-min-proto-version [default|SSLv3|...]
    set strict-ocsp-check [enable|disable]
    set subject-match [substring|value]
    set subject-set [subset|superset]
    set vrf-select {integer}
end

    config vpn certificate setting

    Parameter

    Description

    Type

    Size

    Default

    cert-expire-warning

    Number of days before a certificate expires to send a warning. Set to 0 to disable sending of the warning (0 - 100, default = 14).

    integer

    Minimum value: 0 Maximum value: 100

    14

    certname-dsa1024

    1024 bit DSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_DSA1024

    certname-dsa2048

    2048 bit DSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_DSA2048

    certname-ecdsa256

    256 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_ECDSA256

    certname-ecdsa384

    384 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_ECDSA384

    certname-ecdsa521

    521 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_ECDSA521

    certname-ed25519

    253 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_ED25519

    certname-ed448

    456 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_ED448

    certname-rsa1024

    1024 bit RSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_RSA1024

    certname-rsa2048

    2048 bit RSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_RSA2048

    certname-rsa4096

    4096 bit RSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_RSA4096

    check-ca-cert

    Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted (default = enable).

    option

    -

    enable

    Option

    Description

    enable

    Enable verification of the user certificate.

    disable

    Disable verification of the user certificate.

    check-ca-chain

    Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted (default = disable).

    option

    -

    disable

    Option

    Description

    enable

    Enable verification of the entire certificate chain.

    disable

    Disable verification of the entire certificate chain.

    cmp-key-usage-checking

    Enable/disable server certificate key usage checking in CMP mode (default = enable).

    option

    -

    enable

    Option

    Description

    enable

    Enable server certificate key usage checking in CMP mode.

    disable

    Disable server certificate key usage checking in CMP mode.

    cmp-save-extra-certs

    Enable/disable saving extra certificates in CMP mode (default = disable).

    option

    -

    disable

    Option

    Description

    enable

    Enable saving extra certificates in CMP mode.

    disable

    Disable saving extra certificates in CMP mode.

    cn-allow-multi

    When searching for a matching certificate, allow multiple CN fields in certificate subject name (default = enable).

    option

    -

    enable

    Option

    Description

    disable

    Does not allow multiple CN entries in certificate matching.

    enable

    Allow multiple CN entries in certificate matching.

    cn-match

    When searching for a matching certificate, control how to do CN value matching with certificate subject name (default = substring).

    option

    -

    substring

    Option

    Description

    substring

    Find a match if the name being searched for is a part or the same as a certificate CN.

    value

    Find a match if the name being searched for is same as a certificate CN.

    interface

    Specify outgoing interface to reach server.

    string

    Maximum length: 15

    interface-select-method

    Specify how to select outgoing interface to reach server.

    option

    -

    auto

    Option

    Description

    auto

    Set outgoing interface automatically.

    sdwan

    Set outgoing interface by SD-WAN or policy routing rules.

    specify

    Set outgoing interface manually.

    ocsp-default-server

    Default OCSP server.

    string

    Maximum length: 35

    ocsp-option

    Specify whether the OCSP URL is from certificate or configured OCSP server.

    option

    -

    server

    Option

    Description

    certificate

    Use URL from certificate.

    server

    Use URL from configured OCSP server.

    ocsp-status

    Enable/disable receiving certificates using the OCSP.

    option

    -

    disable

    Option

    Description

    enable

    OCSP is performed if CRL is not checked.

    mandatory

    If cert is not revoked by CRL, OCSP is performed.

    disable

    OCSP is not performed.

    proxy

    Proxy server FQDN or IP for OCSP/CA queries during certificate verification.

    string

    Maximum length: 127

    proxy-password

    Proxy server password.

    password

    Not Specified

    proxy-port

    Proxy server port (1 - 65535, default = 8080).

    integer

    Minimum value: 1 Maximum value: 65535

    8080

    proxy-username

    Proxy server user name.

    string

    Maximum length: 63

    source-ip

    Source IP address for dynamic AIA and OCSP queries.

    string

    Maximum length: 63

    ssl-min-proto-version

    Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).

    option

    -

    default

    Option

    Description

    default

    Follow system global setting.

    SSLv3

    SSLv3.

    TLSv1

    TLSv1.

    TLSv1-1

    TLSv1.1.

    TLSv1-2

    TLSv1.2.

    TLSv1-3

    TLSv1.3.

    strict-ocsp-check

    Enable/disable strict mode OCSP checking.

    option

    -

    disable

    Option

    Description

    enable

    Enable strict mode OCSP checking.

    disable

    Disable strict mode OCSP checking.

    subject-match

    When searching for a matching certificate, control how to do RDN value matching with certificate subject name (default = substring).

    option

    -

    substring

    Option

    Description

    substring

    Find a match if the name being searched for is a part or the same as a certificate subject RDN.

    value

    Find a match if the name being searched for is same as a certificate subject RDN.

    subject-set

    When searching for a matching certificate, control how to do RDN set matching with certificate subject name (default = subset).

    option

    -

    subset

    Option

    Description

    subset

    Find a match if the name being searched for is a subset of a certificate subject.

    superset

    Find a match if the name being searched for is a superset of a certificate subject.

    vrf-select

    VRF ID used for connection to server.

    integer

    Minimum value: 0 Maximum value: 511

    0

    config crl-verification

    Parameter

    Description

    Type

    Size

    Default

    chain-crl-absence

    CRL verification option when CRL of any certificate in chain is absent (default = ignore).

    option

    -

    ignore

    Option

    Description

    ignore

    CRL verification is ignored if CRL of any certificate in chain is absent.

    revoke

    Certificate will be revoked if CRL of any certificate in chain is absent.

    expiry

    CRL verification option when CRL is expired (default = ignore).

    option

    -

    ignore

    Option

    Description

    ignore

    Certificate status will be verified even if CRL is expired.

    revoke

    Certificate will be revoked if CRL is expired.

    leaf-crl-absence

    CRL verification option when leaf CRL is absent (default = ignore).

    option

    -

    ignore

    Option

    Description

    ignore

    CRL verification against leaf certificate is ignored if CRL is absent.

    revoke

    Certificate will be revoked if CRL of leaf certificate is absent.
    Previous
    Next

    config vpn certificate setting

    config vpn certificate setting

    VPN certificate setting.

    config vpn certificate setting
    Description: VPN certificate setting.
    set cert-expire-warning {integer}
    set certname-dsa1024 {string}
    set certname-dsa2048 {string}
    set certname-ecdsa256 {string}
    set certname-ecdsa384 {string}
    set certname-ecdsa521 {string}
    set certname-ed25519 {string}
    set certname-ed448 {string}
    set certname-rsa1024 {string}
    set certname-rsa2048 {string}
    set certname-rsa4096 {string}
    set check-ca-cert [enable|disable]
    set check-ca-chain [enable|disable]
    set cmp-key-usage-checking [enable|disable]
    set cmp-save-extra-certs [enable|disable]
    set cn-allow-multi [disable|enable]
    set cn-match [substring|value]
    config crl-verification
        Description: CRL verification options.
        set chain-crl-absence [ignore|revoke]
        set expiry [ignore|revoke]
        set leaf-crl-absence [ignore|revoke]
    end
    set interface {string}
    set interface-select-method [auto|sdwan|...]
    set ocsp-default-server {string}
    set ocsp-option [certificate|server]
    set ocsp-status [enable|mandatory|...]
    set proxy {string}
    set proxy-password {password}
    set proxy-port {integer}
    set proxy-username {string}
    set source-ip {string}
    set ssl-min-proto-version [default|SSLv3|...]
    set strict-ocsp-check [enable|disable]
    set subject-match [substring|value]
    set subject-set [subset|superset]
    set vrf-select {integer}
end

    config vpn certificate setting

    Parameter

    Description

    Type

    Size

    Default

    cert-expire-warning

    Number of days before a certificate expires to send a warning. Set to 0 to disable sending of the warning (0 - 100, default = 14).

    integer

    Minimum value: 0 Maximum value: 100

    14

    certname-dsa1024

    1024 bit DSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_DSA1024

    certname-dsa2048

    2048 bit DSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_DSA2048

    certname-ecdsa256

    256 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_ECDSA256

    certname-ecdsa384

    384 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_ECDSA384

    certname-ecdsa521

    521 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_ECDSA521

    certname-ed25519

    253 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_ED25519

    certname-ed448

    456 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_ED448

    certname-rsa1024

    1024 bit RSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_RSA1024

    certname-rsa2048

    2048 bit RSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_RSA2048

    certname-rsa4096

    4096 bit RSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    Fortinet_SSL_RSA4096

    check-ca-cert

    Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted (default = enable).

    option

    -

    enable

    Option

    Description

    enable

    Enable verification of the user certificate.

    disable

    Disable verification of the user certificate.

    check-ca-chain

    Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted (default = disable).

    option

    -

    disable

    Option

    Description

    enable

    Enable verification of the entire certificate chain.

    disable

    Disable verification of the entire certificate chain.

    cmp-key-usage-checking

    Enable/disable server certificate key usage checking in CMP mode (default = enable).

    option

    -

    enable

    Option

    Description

    enable

    Enable server certificate key usage checking in CMP mode.

    disable

    Disable server certificate key usage checking in CMP mode.

    cmp-save-extra-certs

    Enable/disable saving extra certificates in CMP mode (default = disable).

    option

    -

    disable

    Option

    Description

    enable

    Enable saving extra certificates in CMP mode.

    disable

    Disable saving extra certificates in CMP mode.

    cn-allow-multi

    When searching for a matching certificate, allow multiple CN fields in certificate subject name (default = enable).

    option

    -

    enable

    Option

    Description

    disable

    Does not allow multiple CN entries in certificate matching.

    enable

    Allow multiple CN entries in certificate matching.

    cn-match

    When searching for a matching certificate, control how to do CN value matching with certificate subject name (default = substring).

    option

    -

    substring

    Option

    Description

    substring

    Find a match if the name being searched for is a part or the same as a certificate CN.

    value

    Find a match if the name being searched for is same as a certificate CN.

    interface

    Specify outgoing interface to reach server.

    string

    Maximum length: 15

    interface-select-method

    Specify how to select outgoing interface to reach server.

    option

    -

    auto

    Option

    Description

    auto

    Set outgoing interface automatically.

    sdwan

    Set outgoing interface by SD-WAN or policy routing rules.

    specify

    Set outgoing interface manually.

    ocsp-default-server

    Default OCSP server.

    string

    Maximum length: 35

    ocsp-option

    Specify whether the OCSP URL is from certificate or configured OCSP server.

    option

    -

    server

    Option

    Description

    certificate

    Use URL from certificate.

    server

    Use URL from configured OCSP server.

    ocsp-status

    Enable/disable receiving certificates using the OCSP.

    option

    -

    disable

    Option

    Description

    enable

    OCSP is performed if CRL is not checked.

    mandatory

    If cert is not revoked by CRL, OCSP is performed.

    disable

    OCSP is not performed.

    proxy

    Proxy server FQDN or IP for OCSP/CA queries during certificate verification.

    string

    Maximum length: 127

    proxy-password

    Proxy server password.

    password

    Not Specified

    proxy-port

    Proxy server port (1 - 65535, default = 8080).

    integer

    Minimum value: 1 Maximum value: 65535

    8080

    proxy-username

    Proxy server user name.

    string

    Maximum length: 63

    source-ip

    Source IP address for dynamic AIA and OCSP queries.

    string

    Maximum length: 63

    ssl-min-proto-version

    Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).

    option

    -

    default

    Option

    Description

    default

    Follow system global setting.

    SSLv3

    SSLv3.

    TLSv1

    TLSv1.

    TLSv1-1

    TLSv1.1.

    TLSv1-2

    TLSv1.2.

    TLSv1-3

    TLSv1.3.

    strict-ocsp-check

    Enable/disable strict mode OCSP checking.

    option

    -

    disable

    Option

    Description

    enable

    Enable strict mode OCSP checking.

    disable

    Disable strict mode OCSP checking.

    subject-match

    When searching for a matching certificate, control how to do RDN value matching with certificate subject name (default = substring).

    option

    -

    substring

    Option

    Description

    substring

    Find a match if the name being searched for is a part or the same as a certificate subject RDN.

    value

    Find a match if the name being searched for is same as a certificate subject RDN.

    subject-set

    When searching for a matching certificate, control how to do RDN set matching with certificate subject name (default = subset).

    option

    -

    subset

    Option

    Description

    subset

    Find a match if the name being searched for is a subset of a certificate subject.

    superset

    Find a match if the name being searched for is a superset of a certificate subject.

    vrf-select

    VRF ID used for connection to server.

    integer

    Minimum value: 0 Maximum value: 511

    0

    config crl-verification

    Parameter

    Description

    Type

    Size

    Default

    chain-crl-absence

    CRL verification option when CRL of any certificate in chain is absent (default = ignore).

    option

    -

    ignore

    Option

    Description

    ignore

    CRL verification is ignored if CRL of any certificate in chain is absent.

    revoke

    Certificate will be revoked if CRL of any certificate in chain is absent.

    expiry

    CRL verification option when CRL is expired (default = ignore).

    option

    -

    ignore

    Option

    Description

    ignore

    Certificate status will be verified even if CRL is expired.

    revoke

    Certificate will be revoked if CRL is expired.

    leaf-crl-absence

    CRL verification option when leaf CRL is absent (default = ignore).

    option

    -

    ignore

    Option

    Description

    ignore

    CRL verification against leaf certificate is ignored if CRL is absent.

    revoke

    Certificate will be revoked if CRL of leaf certificate is absent.
    Previous
    Next