Fortinet white logo
Fortinet white logo

CLI Reference

config vpn certificate setting

config vpn certificate setting

VPN certificate setting.

config vpn certificate setting
    Description: VPN certificate setting.
    set ocsp-status [enable|mandatory|...]
    set ocsp-option [certificate|server]
    set proxy {string}
    set proxy-port {integer}
    set proxy-username {string}
    set proxy-password {password}
    set source-ip {string}
    set ocsp-default-server {string}
    set interface-select-method [auto|specify]
    set interface {string}
    set check-ca-cert [enable|disable]
    set check-ca-chain [enable|disable]
    set subject-match [substring|value]
    set subject-set [subset|superset]
    set cn-match [substring|value]
    set cn-allow-multi [disable|enable]
    config crl-verification
        Description: CRL verification options.
        set expiry [ignore|revoke]
        set leaf-crl-absence [ignore|revoke]
        set chain-crl-absence [ignore|revoke]
    end
    set strict-ocsp-check [enable|disable]
    set ssl-min-proto-version [default|SSLv3|...]
    set cmp-save-extra-certs [enable|disable]
    set cmp-key-usage-checking [enable|disable]
    set cert-expire-warning {integer}
    set certname-rsa1024 {string}
    set certname-rsa2048 {string}
    set certname-rsa4096 {string}
    set certname-dsa1024 {string}
    set certname-dsa2048 {string}
    set certname-ecdsa256 {string}
    set certname-ecdsa384 {string}
    set certname-ecdsa521 {string}
    set certname-ed25519 {string}
    set certname-ed448 {string}
end

config vpn certificate setting

Parameter

Description

Type

Size

Default

ocsp-status

Enable/disable receiving certificates using the OCSP.

option

-

disable

Option

Description

enable

OCSP is performed if CRL is not checked.

mandatory

If cert is not revoked by CRL, OCSP is performed.

disable

OCSP is not performed.

ocsp-option

Specify whether the OCSP URL is from certificate or configured OCSP server.

option

-

server

Option

Description

certificate

Use URL from certificate.

server

Use URL from configured OCSP server.

proxy

Proxy server FQDN or IP for OCSP/CA queries during certificate verification.

string

Maximum length: 127

proxy-port

Proxy server port.

integer

Minimum value: 1 Maximum value: 65535

8080

proxy-username

Proxy server user name.

string

Maximum length: 63

proxy-password

Proxy server password.

password

Not Specified

source-ip

Source IP address for dynamic AIA and OCSP queries.

string

Maximum length: 63

ocsp-default-server

Default OCSP server.

string

Maximum length: 35

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

check-ca-cert

Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted.

option

-

enable

Option

Description

enable

Enable verification of the user certificate.

disable

Disable verification of the user certificate.

check-ca-chain

Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted.

option

-

disable

Option

Description

enable

Enable verification of the entire certificate chain.

disable

Disable verification of the entire certificate chain.

subject-match

When searching for a matching certificate, control how to do RDN value matching with certificate subject name.

option

-

substring

Option

Description

substring

Find a match if the name being searched for is a part or the same as a certificate subject RDN.

value

Find a match if the name being searched for is same as a certificate subject RDN.

subject-set

When searching for a matching certificate, control how to do RDN set matching with certificate subject name.

option

-

subset

Option

Description

subset

Find a match if the name being searched for is a subset of a certificate subject.

superset

Find a match if the name being searched for is a superset of a certificate subject.

cn-match

When searching for a matching certificate, control how to do CN value matching with certificate subject name.

option

-

substring

Option

Description

substring

Find a match if the name being searched for is a part or the same as a certificate CN.

value

Find a match if the name being searched for is same as a certificate CN.

cn-allow-multi

When searching for a matching certificate, allow multiple CN fields in certificate subject name.

option

-

enable

Option

Description

disable

Does not allow multiple CN entries in certificate matching.

enable

Allow multiple CN entries in certificate matching.

strict-ocsp-check

Enable/disable strict mode OCSP checking.

option

-

disable

Option

Description

enable

Enable strict mode OCSP checking.

disable

Disable strict mode OCSP checking.

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections.

option

-

default

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

TLSv1-3

TLSv1.3.

cmp-save-extra-certs

Enable/disable saving extra certificates in CMP mode.

option

-

disable

Option

Description

enable

Enable saving extra certificates in CMP mode.

disable

Disable saving extra certificates in CMP mode.

cmp-key-usage-checking

Enable/disable server certificate key usage checking in CMP mode.

option

-

enable

Option

Description

enable

Enable server certificate key usage checking in CMP mode.

disable

Disable server certificate key usage checking in CMP mode.

cert-expire-warning

Number of days before a certificate expires to send a warning. Set to 0 to disable sending of the warning.

integer

Minimum value: 0 Maximum value: 100

14

certname-rsa1024

1024 bit RSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_RSA1024

certname-rsa2048

2048 bit RSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_RSA2048

certname-rsa4096

4096 bit RSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_RSA4096

certname-dsa1024

1024 bit DSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_DSA1024

certname-dsa2048

2048 bit DSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_DSA2048

certname-ecdsa256

256 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ECDSA256

certname-ecdsa384

384 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ECDSA384

certname-ecdsa521

521 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ECDSA521

certname-ed25519

253 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ED25519

certname-ed448

456 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ED448

config crl-verification

Parameter

Description

Type

Size

Default

expiry

CRL verification option when CRL is expired.

option

-

ignore

Option

Description

ignore

Certificate status will be verified even if CRL is expired.

revoke

Certificate will be revoked if CRL is expired.

leaf-crl-absence

CRL verification option when leaf CRL is absent.

option

-

ignore

Option

Description

ignore

CRL verification against leaf certificate is ignored if CRL is absent.

revoke

Certificate will be revoked if CRL of leaf certificate is absent.

chain-crl-absence

CRL verification option when CRL of any certificate in chain is absent.

option

-

ignore

Option

Description

ignore

CRL verification is ignored if CRL of any certificate in chain is absent.

revoke

Certificate will be revoked if CRL of any certificate in chain is absent.

config vpn certificate setting

config vpn certificate setting

VPN certificate setting.

config vpn certificate setting
    Description: VPN certificate setting.
    set ocsp-status [enable|mandatory|...]
    set ocsp-option [certificate|server]
    set proxy {string}
    set proxy-port {integer}
    set proxy-username {string}
    set proxy-password {password}
    set source-ip {string}
    set ocsp-default-server {string}
    set interface-select-method [auto|specify]
    set interface {string}
    set check-ca-cert [enable|disable]
    set check-ca-chain [enable|disable]
    set subject-match [substring|value]
    set subject-set [subset|superset]
    set cn-match [substring|value]
    set cn-allow-multi [disable|enable]
    config crl-verification
        Description: CRL verification options.
        set expiry [ignore|revoke]
        set leaf-crl-absence [ignore|revoke]
        set chain-crl-absence [ignore|revoke]
    end
    set strict-ocsp-check [enable|disable]
    set ssl-min-proto-version [default|SSLv3|...]
    set cmp-save-extra-certs [enable|disable]
    set cmp-key-usage-checking [enable|disable]
    set cert-expire-warning {integer}
    set certname-rsa1024 {string}
    set certname-rsa2048 {string}
    set certname-rsa4096 {string}
    set certname-dsa1024 {string}
    set certname-dsa2048 {string}
    set certname-ecdsa256 {string}
    set certname-ecdsa384 {string}
    set certname-ecdsa521 {string}
    set certname-ed25519 {string}
    set certname-ed448 {string}
end

config vpn certificate setting

Parameter

Description

Type

Size

Default

ocsp-status

Enable/disable receiving certificates using the OCSP.

option

-

disable

Option

Description

enable

OCSP is performed if CRL is not checked.

mandatory

If cert is not revoked by CRL, OCSP is performed.

disable

OCSP is not performed.

ocsp-option

Specify whether the OCSP URL is from certificate or configured OCSP server.

option

-

server

Option

Description

certificate

Use URL from certificate.

server

Use URL from configured OCSP server.

proxy

Proxy server FQDN or IP for OCSP/CA queries during certificate verification.

string

Maximum length: 127

proxy-port

Proxy server port.

integer

Minimum value: 1 Maximum value: 65535

8080

proxy-username

Proxy server user name.

string

Maximum length: 63

proxy-password

Proxy server password.

password

Not Specified

source-ip

Source IP address for dynamic AIA and OCSP queries.

string

Maximum length: 63

ocsp-default-server

Default OCSP server.

string

Maximum length: 35

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

check-ca-cert

Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted.

option

-

enable

Option

Description

enable

Enable verification of the user certificate.

disable

Disable verification of the user certificate.

check-ca-chain

Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted.

option

-

disable

Option

Description

enable

Enable verification of the entire certificate chain.

disable

Disable verification of the entire certificate chain.

subject-match

When searching for a matching certificate, control how to do RDN value matching with certificate subject name.

option

-

substring

Option

Description

substring

Find a match if the name being searched for is a part or the same as a certificate subject RDN.

value

Find a match if the name being searched for is same as a certificate subject RDN.

subject-set

When searching for a matching certificate, control how to do RDN set matching with certificate subject name.

option

-

subset

Option

Description

subset

Find a match if the name being searched for is a subset of a certificate subject.

superset

Find a match if the name being searched for is a superset of a certificate subject.

cn-match

When searching for a matching certificate, control how to do CN value matching with certificate subject name.

option

-

substring

Option

Description

substring

Find a match if the name being searched for is a part or the same as a certificate CN.

value

Find a match if the name being searched for is same as a certificate CN.

cn-allow-multi

When searching for a matching certificate, allow multiple CN fields in certificate subject name.

option

-

enable

Option

Description

disable

Does not allow multiple CN entries in certificate matching.

enable

Allow multiple CN entries in certificate matching.

strict-ocsp-check

Enable/disable strict mode OCSP checking.

option

-

disable

Option

Description

enable

Enable strict mode OCSP checking.

disable

Disable strict mode OCSP checking.

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections.

option

-

default

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

TLSv1-3

TLSv1.3.

cmp-save-extra-certs

Enable/disable saving extra certificates in CMP mode.

option

-

disable

Option

Description

enable

Enable saving extra certificates in CMP mode.

disable

Disable saving extra certificates in CMP mode.

cmp-key-usage-checking

Enable/disable server certificate key usage checking in CMP mode.

option

-

enable

Option

Description

enable

Enable server certificate key usage checking in CMP mode.

disable

Disable server certificate key usage checking in CMP mode.

cert-expire-warning

Number of days before a certificate expires to send a warning. Set to 0 to disable sending of the warning.

integer

Minimum value: 0 Maximum value: 100

14

certname-rsa1024

1024 bit RSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_RSA1024

certname-rsa2048

2048 bit RSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_RSA2048

certname-rsa4096

4096 bit RSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_RSA4096

certname-dsa1024

1024 bit DSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_DSA1024

certname-dsa2048

2048 bit DSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_DSA2048

certname-ecdsa256

256 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ECDSA256

certname-ecdsa384

384 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ECDSA384

certname-ecdsa521

521 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ECDSA521

certname-ed25519

253 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ED25519

certname-ed448

456 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

string

Maximum length: 35

Fortinet_SSL_ED448

config crl-verification

Parameter

Description

Type

Size

Default

expiry

CRL verification option when CRL is expired.

option

-

ignore

Option

Description

ignore

Certificate status will be verified even if CRL is expired.

revoke

Certificate will be revoked if CRL is expired.

leaf-crl-absence

CRL verification option when leaf CRL is absent.

option

-

ignore

Option

Description

ignore

CRL verification against leaf certificate is ignored if CRL is absent.

revoke

Certificate will be revoked if CRL of leaf certificate is absent.

chain-crl-absence

CRL verification option when CRL of any certificate in chain is absent.

option

-

ignore

Option

Description

ignore

CRL verification is ignored if CRL of any certificate in chain is absent.

revoke

Certificate will be revoked if CRL of any certificate in chain is absent.