Fortinet black logo

CLI Reference

certificate

certificate

Use this command to upload and download certificates, and to generate certificate signing requests (CSR).

Syntax

execute certificate ca import tftp <file_name> <tftp_ip>

execute certificate ca export tftp <cert_name> <file_name> <tftp_ip>

execute certificate config verify

execute certificate crl import tftp <file_name> <tftp_ip>

execute certificate crl export tftp <cert_name> <file_name> <tftp_ip>

execute certificate local export tftp <cert_name> <file_name> <tftp_ip>

execute certificate local generate <cert_name> <key_size> <subject> <country> <state> <organization> <unit> <email>

execute certificate local import tftp <file_name> <tftp_ip>

execute certificate local info <cert_name>

execute certificate local regenerate

execute certificate remote import tftp <file_name> <tftp_ip>

execute certificate remote export tftp <cert_name> <file_name> <tftp_ip>

Variable

Description

Default

ca import tftp <file_name> <tftp_ip>

Imports the certificate authority (CA) certificate from a TFTP server.

Certificate authorities validate and sign other certificates in order to indicate to third parties that those other certificates may be trusted to be authentic.

ca export tftp <cert_name> <file_name> <tftp_ip>

Exports the CA certificate to a TFTP server.

config verify

Since FortiMail stores configuration information of CA certificates and local certificates in the configuration file and stores the certificates themselves in the file system, in some circumstances (such as a firmware upgrade or an abnormal system shutdown), the certificate configuration and the certificate may be out of sync.

Use this command to synchronize the certificate configuration in the configuration file with the certificate in the file system.

crl import tftp <file_name> <tftp_ip>

Imports the certificate revocation list (CRL).

To ensure that your FortiMail unit validates only certificates that have not been revoked, you should periodically upload a current certificate revocation list, which may be provided by certificate authorities (CA). Alternatively, you can use online certificate status protocol (OCSP) to query for certificate statuses.

crl export tftp <cert_name> <file_name> <tftp_ip>

Exports the CRL to a TFTP server.

local export tftp <cert_name> <file_name> <tftp_ip>

Exports a certificate signing request or a local certificate to a TFTP server.

Note that this command does not support exporting a certificate in PKCS#12 format. To do this, you must go to the web UI.

local generate <cert_name> <key_size> <subject> <country> <state> <organization> <unit> <email>

Enter the information required to generate a certificate signing request.

Certificate signing request files can then be submitted for verification and signing by a certificate authority (CA).

local import tftp <file_name> <tftp_ip>

Imports a local certificate from a TFTP server. Note that this command does not support importing a certificate that is in PKCS#12 format. To do this, you must go to the web UI.

FortiMail units require a local server certificate that it can present when clients request secure connections, including:

  • the web UI (HTTPS connections only)
  • webmail (HTTPS connections only)
  • secure email, such as SMTPS, IMAPS, and POP3S

local info <cert_name>

Shows the specified certificate information.

local regenerate

Regenerates the local self certificate.

remote import tftp <file_name> <tftp_ip>

Imports the certificate of the online certificate status protocol (OCSP) servers of your certificate authority (CA).

OCSP enables you to revoke or validate certificates by query, rather than by importing certificate revocation lists (CRL).

remote export tftp <cert_name> <file_name> <tftp_ip>

Exports the OCSP certificate to a TFTP server.

Related topics

profile certificate-binding

certificate

Use this command to upload and download certificates, and to generate certificate signing requests (CSR).

Syntax

execute certificate ca import tftp <file_name> <tftp_ip>

execute certificate ca export tftp <cert_name> <file_name> <tftp_ip>

execute certificate config verify

execute certificate crl import tftp <file_name> <tftp_ip>

execute certificate crl export tftp <cert_name> <file_name> <tftp_ip>

execute certificate local export tftp <cert_name> <file_name> <tftp_ip>

execute certificate local generate <cert_name> <key_size> <subject> <country> <state> <organization> <unit> <email>

execute certificate local import tftp <file_name> <tftp_ip>

execute certificate local info <cert_name>

execute certificate local regenerate

execute certificate remote import tftp <file_name> <tftp_ip>

execute certificate remote export tftp <cert_name> <file_name> <tftp_ip>

Variable

Description

Default

ca import tftp <file_name> <tftp_ip>

Imports the certificate authority (CA) certificate from a TFTP server.

Certificate authorities validate and sign other certificates in order to indicate to third parties that those other certificates may be trusted to be authentic.

ca export tftp <cert_name> <file_name> <tftp_ip>

Exports the CA certificate to a TFTP server.

config verify

Since FortiMail stores configuration information of CA certificates and local certificates in the configuration file and stores the certificates themselves in the file system, in some circumstances (such as a firmware upgrade or an abnormal system shutdown), the certificate configuration and the certificate may be out of sync.

Use this command to synchronize the certificate configuration in the configuration file with the certificate in the file system.

crl import tftp <file_name> <tftp_ip>

Imports the certificate revocation list (CRL).

To ensure that your FortiMail unit validates only certificates that have not been revoked, you should periodically upload a current certificate revocation list, which may be provided by certificate authorities (CA). Alternatively, you can use online certificate status protocol (OCSP) to query for certificate statuses.

crl export tftp <cert_name> <file_name> <tftp_ip>

Exports the CRL to a TFTP server.

local export tftp <cert_name> <file_name> <tftp_ip>

Exports a certificate signing request or a local certificate to a TFTP server.

Note that this command does not support exporting a certificate in PKCS#12 format. To do this, you must go to the web UI.

local generate <cert_name> <key_size> <subject> <country> <state> <organization> <unit> <email>

Enter the information required to generate a certificate signing request.

Certificate signing request files can then be submitted for verification and signing by a certificate authority (CA).

local import tftp <file_name> <tftp_ip>

Imports a local certificate from a TFTP server. Note that this command does not support importing a certificate that is in PKCS#12 format. To do this, you must go to the web UI.

FortiMail units require a local server certificate that it can present when clients request secure connections, including:

  • the web UI (HTTPS connections only)
  • webmail (HTTPS connections only)
  • secure email, such as SMTPS, IMAPS, and POP3S

local info <cert_name>

Shows the specified certificate information.

local regenerate

Regenerates the local self certificate.

remote import tftp <file_name> <tftp_ip>

Imports the certificate of the online certificate status protocol (OCSP) servers of your certificate authority (CA).

OCSP enables you to revoke or validate certificates by query, rather than by importing certificate revocation lists (CRL).

remote export tftp <cert_name> <file_name> <tftp_ip>

Exports the OCSP certificate to a TFTP server.

Related topics

profile certificate-binding