config vpn certificate local
Local keys and certificates.
config vpn certificate local
Description: Local keys and certificates.
edit <name>
set type [normal|hsm]
set nethsm-slot {string}
set password {password}
set comments {string}
set private-key {user}
set certificate {user}
set csr {user}
set state {user}
set scep-url {string}
set range [global|vdom]
set source [factory|user|...]
set auto-regenerate-days {integer}
set auto-regenerate-days-warning {integer}
set scep-password {password}
set ca-identifier {string}
set name-encoding [printable|utf8]
set source-ip {ipv4-address}
set ike-localid {string}
set ike-localid-type [asn1dn|fqdn]
set enroll-protocol [none|scep|...]
set private-key-retain [enable|disable]
set cmp-server {string}
set cmp-path {string}
set cmp-server-cert {string}
set cmp-regeneration-method [keyupate|renewal]
set acme-ca-url {string}
set acme-domain {string}
set acme-email {string}
set acme-rsa-key-size {integer}
set acme-renew-window {integer}
set est-server {string}
set est-ca-id {string}
set est-http-username {string}
set est-http-password {string}
set est-client-cert {string}
set est-server-cert {string}
set est-srp-username {string}
set est-srp-password {string}
next
end
config vpn certificate local
|
Parameter |
Description |
Type |
Size |
Default |
||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
name |
Name. |
string |
Maximum length: 35 |
|
||||||||||||
|
type |
Type. |
option |
- |
normal |
||||||||||||
|
|
|
|||||||||||||||
|
nethsm-slot |
Network HSM slot name. |
string |
Maximum length: 35 |
|
||||||||||||
|
password |
Password as a PEM file. |
password |
Not Specified |
|
||||||||||||
|
comments |
Comment. |
string |
Maximum length: 511 |
|
||||||||||||
|
private-key |
PEM format key encrypted with a password. |
user |
Not Specified |
|
||||||||||||
|
certificate |
PEM format certificate. |
user |
Not Specified |
|
||||||||||||
|
csr |
Certificate Signing Request. |
user |
Not Specified |
|
||||||||||||
|
state |
Certificate Signing Request State. |
user |
Not Specified |
|
||||||||||||
|
scep-url |
SCEP server URL. |
string |
Maximum length: 255 |
|
||||||||||||
|
range |
Either a global or VDOM IP address range for the certificate. |
option |
- |
vdom |
||||||||||||
|
|
|
|||||||||||||||
|
source |
Certificate source type. |
option |
- |
user |
||||||||||||
|
|
|
|||||||||||||||
|
auto-regenerate-days |
Number of days to wait before expiry of an updated local certificate is requested (0 = disabled). |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||||||
|
auto-regenerate-days-warning |
Number of days to wait before an expiry warning message is generated (0 = disabled). |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||||||
|
scep-password |
SCEP server challenge password for auto-regeneration. |
password |
Not Specified |
|
||||||||||||
|
ca-identifier |
CA identifier of the CA server for signing via SCEP. |
string |
Maximum length: 255 |
|
||||||||||||
|
name-encoding |
Name encoding method for auto-regeneration. |
option |
- |
printable |
||||||||||||
|
|
|
|||||||||||||||
|
source-ip |
Source IP address for communications to the SCEP server. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||||||||
|
ike-localid |
Local ID the FortiProxy uses for authentication as a VPN client. |
string |
Maximum length: 63 |
|
||||||||||||
|
ike-localid-type |
IKE local ID type. |
option |
- |
asn1dn |
||||||||||||
|
|
|
|||||||||||||||
|
enroll-protocol |
Certificate enrollment protocol. |
option |
- |
none |
||||||||||||
|
|
|
|||||||||||||||
|
private-key-retain |
Enable/disable retention of private key during SCEP renewal. |
option |
- |
disable |
||||||||||||
|
|
|
|||||||||||||||
|
cmp-server |
Address and port for CMP server (format = address:port). |
string |
Maximum length: 63 |
|
||||||||||||
|
cmp-path |
Path location inside CMP server. |
string |
Maximum length: 255 |
|
||||||||||||
|
cmp-server-cert |
CMP server certificate. |
string |
Maximum length: 79 |
|
||||||||||||
|
cmp-regeneration-method |
CMP auto-regeneration method. |
option |
- |
keyupate |
||||||||||||
|
|
|
|||||||||||||||
|
acme-ca-url |
The URL for the ACME CA server. |
string |
Maximum length: 255 |
https://acme-v02.api.letsencrypt.org/directory |
||||||||||||
|
acme-domain |
A valid domain that resolves to this FortiProxy unit. |
string |
Maximum length: 255 |
|
||||||||||||
|
acme-email |
Contact email address that is required by some CAs like LetsEncrypt. |
string |
Maximum length: 255 |
|
||||||||||||
|
acme-rsa-key-size |
Length of the RSA private key of the generated cert (Minimum 2048 bits). |
integer |
Minimum value: 2048 Maximum value: 4096 |
2048 |
||||||||||||
|
acme-renew-window |
Beginning of the renewal window. |
integer |
Minimum value: 1 Maximum value: 60 |
30 |
||||||||||||
|
est-server |
Address and port for EST server (e.g. https://example.com:1234). |
string |
Maximum length: 255 |
|
||||||||||||
|
est-ca-id |
CA identifier of the CA server for signing via EST. |
string |
Maximum length: 255 |
|
||||||||||||
|
est-http-username |
HTTP Authentication username for signing via EST. |
string |
Maximum length: 63 |
|
||||||||||||
|
est-http-password |
HTTP Authentication password for signing via EST. |
string |
Maximum length: 63 |
|
||||||||||||
|
est-client-cert |
Certificate used to authenticate this FortiGate to EST server. |
string |
Maximum length: 79 |
|
||||||||||||
|
est-server-cert |
EST server's certificate must be verifiable by this certificate to be authenticated. |
string |
Maximum length: 79 |
|
||||||||||||
|
est-srp-username |
EST SRP authentication username. |
string |
Maximum length: 63 |
|
||||||||||||
|
est-srp-password |
EST SRP authentication password. |
string |
Maximum length: 63 |
|
||||||||||||