config vpn certificate setting
VPN certificate setting.
config vpn certificate setting Description: VPN certificate setting. set ocsp-status [enable|disable] set ocsp-option [certificate|server] set proxy {string} set proxy-port {integer} set proxy-username {string} set proxy-password {password} set ssl-ocsp-source-ip {ipv4-address} set ocsp-default-server {string} set interface-select-method [auto|sdwan|...] set interface {string} set check-ca-cert [enable|disable] set check-ca-chain [enable|disable] set subject-match [substring|value] set subject-set [subset|superset] set cn-match [substring|value] set cn-allow-multi [disable|enable] config crl-verification Description: CRL verification options. set expiry [ignore|revoke] set leaf-crl-absence [ignore|revoke] set chain-crl-absence [ignore|revoke] end set strict-ocsp-check [enable|disable] set ssl-min-proto-version [default|SSLv3|...] set cmp-save-extra-certs [enable|disable] set cmp-key-usage-checking [enable|disable] set certname-rsa1024 {string} set certname-rsa2048 {string} set certname-rsa4096 {string} set certname-dsa1024 {string} set certname-dsa2048 {string} set certname-ecdsa256 {string} set certname-ecdsa384 {string} set certname-ecdsa521 {string} set certname-ed25519 {string} set certname-ed448 {string} end
config vpn certificate setting
Parameter |
Description |
Type |
Size |
Default |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ocsp-status |
Enable/disable receiving certificates using the OCSP. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
ocsp-option |
Specify whether the OCSP URL is from certificate or configured OCSP server. |
option |
- |
server |
||||||||||||
|
|
|||||||||||||||
proxy |
Proxy server FQDN or IP for OCSP/CA queries during certificate verification. |
string |
Maximum length: 127 |
|
||||||||||||
proxy-port |
Proxy server port. |
integer |
Minimum value: 1 Maximum value: 65535 |
8080 |
||||||||||||
proxy-username |
Proxy server user name. |
string |
Maximum length: 63 |
|
||||||||||||
proxy-password |
Proxy server password. |
password |
Not Specified |
|
||||||||||||
ssl-ocsp-source-ip |
Source IP address to use to communicate with the OCSP server. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||||||||
ocsp-default-server |
Default OCSP server. |
string |
Maximum length: 35 |
|
||||||||||||
interface-select-method |
Specify how to select outgoing interface to reach server. |
option |
- |
auto |
||||||||||||
|
|
|||||||||||||||
interface |
Specify outgoing interface to reach server. |
string |
Maximum length: 15 |
|
||||||||||||
check-ca-cert |
Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted. |
option |
- |
enable |
||||||||||||
|
|
|||||||||||||||
check-ca-chain |
Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
subject-match |
When searching for a matching certificate, control how to do RDN value matching with certificate subject name. |
option |
- |
substring |
||||||||||||
|
|
|||||||||||||||
subject-set |
When searching for a matching certificate, control how to do RDN set matching with certificate subject name. |
option |
- |
subset |
||||||||||||
|
|
|||||||||||||||
cn-match |
When searching for a matching certificate, control how to do CN value matching with certificate subject name. |
option |
- |
substring |
||||||||||||
|
|
|||||||||||||||
cn-allow-multi |
When searching for a matching certificate, allow multiple CN fields in certificate subject name. |
option |
- |
enable |
||||||||||||
|
|
|||||||||||||||
strict-ocsp-check |
Enable/disable strict mode OCSP checking. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
ssl-min-proto-version |
Minimum supported protocol version for SSL/TLS connections. |
option |
- |
default |
||||||||||||
|
|
|||||||||||||||
cmp-save-extra-certs |
Enable/disable saving extra certificates in CMP mode. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
cmp-key-usage-checking |
Enable/disable server certificate key usage checking in CMP mode. |
option |
- |
enable |
||||||||||||
|
|
|||||||||||||||
certname-rsa1024 |
1024 bit RSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_RSA1024 |
||||||||||||
certname-rsa2048 |
2048 bit RSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_RSA2048 |
||||||||||||
certname-rsa4096 |
4096 bit RSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_RSA4096 |
||||||||||||
certname-dsa1024 |
1024 bit DSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_DSA1024 |
||||||||||||
certname-dsa2048 |
2048 bit DSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_DSA2048 |
||||||||||||
certname-ecdsa256 |
256 bit ECDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ECDSA256 |
||||||||||||
certname-ecdsa384 |
384 bit ECDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ECDSA384 |
||||||||||||
certname-ecdsa521 |
521 bit ECDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ECDSA521 |
||||||||||||
certname-ed25519 |
253 bit EdDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ED25519 |
||||||||||||
certname-ed448 |
456 bit EdDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ED448 |
config crl-verification
Parameter |
Description |
Type |
Size |
Default |
||||||
---|---|---|---|---|---|---|---|---|---|---|
expiry |
CRL verification option when CRL is expired. |
option |
- |
ignore |
||||||
|
|
|||||||||
leaf-crl-absence |
CRL verification option when leaf CRL is absent. |
option |
- |
ignore |
||||||
|
|
|||||||||
chain-crl-absence |
CRL verification option when CRL of any certificate in chain is absent. |
option |
- |
ignore |
||||||
|
|