config certificate hsm-local
Local certificates whose keys are stored on HSM.
config certificate hsm-local
Description: Local certificates whose keys are stored on HSM.
edit <name>
set comments {string}
set slot {string}
set vendor [unknown|gch|...]
set hsm-keytype [rsa|ec]
set password {password}
set private-key {user}
set state {user}
set api-version [unknown|gch-default]
set certificate {user}
set csr {user}
set scep-url {string}
set range [global|vdom]
set source [factory|user|...]
set auto-regenerate-days {integer}
set auto-regenerate-days-warning {integer}
set scep-password {password}
set ca-identifier {string}
set name-encoding [printable|utf8]
set source-ip {ipv4-address}
set enroll-protocol [none|scep|...]
set private-key-retain [enable|disable]
set cmp-server {string}
set cmp-path {string}
set cmp-server-cert {string}
set cmp-regeneration-method [keyupate|renewal]
set est-server {string}
set est-ca-id {string}
set est-http-username {string}
set est-http-password {string}
set est-client-cert {string}
set est-server-cert {string}
set est-srp-username {string}
set est-srp-password {string}
set est-regeneration-method [create-new-key|use-existing-key]
set gch-url {string}
set gch-project {string}
set gch-location {string}
set gch-keyring {string}
set gch-cryptokey {string}
set gch-cryptokey-version {string}
set gch-cloud-service-name {string}
set gch-cryptokey-algorithm [rsa-sign-pkcs1-2048-sha256|rsa-sign-pkcs1-3072-sha256|...]
next
end
config certificate hsm-local
|
Parameter |
Description |
Type |
Size |
Default |
||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
name |
Name. |
string |
Maximum length: 35 |
|
||||||||||||||||||||||||
|
comments |
Comment. |
string |
Maximum length: 511 |
|
||||||||||||||||||||||||
|
slot |
HSM slot to use with this certificate. |
string |
Maximum length: 35 |
|
||||||||||||||||||||||||
|
vendor |
HSM vendor. |
option |
- |
unknown |
||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||
|
hsm-keytype |
HSM certificate key type. |
option |
- |
rsa |
||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||
|
password |
Password as a PEM file. |
password |
Not Specified |
|
||||||||||||||||||||||||
|
private-key |
PEM format key encrypted with a password. |
user |
Not Specified |
|
||||||||||||||||||||||||
|
state |
Certificate Signing Request State. |
user |
Not Specified |
|
||||||||||||||||||||||||
|
api-version |
API version for communicating with HSM. |
option |
- |
unknown |
||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||
|
certificate |
PEM format certificate. |
user |
Not Specified |
|
||||||||||||||||||||||||
|
csr |
Certificate Signing Request. |
user |
Not Specified |
|
||||||||||||||||||||||||
|
scep-url |
SCEP server URL. |
string |
Maximum length: 255 |
|
||||||||||||||||||||||||
|
range |
Either a global or VDOM IP address range for the certificate. |
option |
- |
global |
||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||
|
source |
Certificate source type. |
option |
- |
user |
||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||
|
auto-regenerate-days |
Number of days to wait before expiry of an updated local certificate is requested (0 = disabled). |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||||||||||||||||||
|
auto-regenerate-days-warning |
Number of days to wait before an expiry warning message is generated (0 = disabled). |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||||||||||||||||||
|
scep-password |
SCEP server challenge password for auto-regeneration. |
password |
Not Specified |
|
||||||||||||||||||||||||
|
ca-identifier |
CA identifier of the CA server for signing via SCEP. |
string |
Maximum length: 255 |
|
||||||||||||||||||||||||
|
name-encoding |
Name encoding method for auto-regeneration. |
option |
- |
printable |
||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||
|
source-ip |
Source IP address for communications to the SCEP server. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||||||||||||||||||||
|
enroll-protocol |
Certificate enrollment protocol. |
option |
- |
none |
||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||
|
private-key-retain |
Enable/disable retention of private key during SCEP renewal (default = disable). |
option |
- |
disable |
||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||
|
cmp-server |
Address and port for CMP server (format = address:port). |
string |
Maximum length: 63 |
|
||||||||||||||||||||||||
|
cmp-path |
Path location inside CMP server. |
string |
Maximum length: 255 |
|
||||||||||||||||||||||||
|
cmp-server-cert |
CMP server certificate. |
string |
Maximum length: 79 |
|
||||||||||||||||||||||||
|
cmp-regeneration-method |
CMP auto-regeneration method. |
option |
- |
keyupate |
||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||
|
est-server |
Address and port for EST server (e.g. https://example.com:1234). |
string |
Maximum length: 255 |
|
||||||||||||||||||||||||
|
est-ca-id |
CA identifier of the CA server for signing via EST. |
string |
Maximum length: 255 |
|
||||||||||||||||||||||||
|
est-http-username |
HTTP Authentication username for signing via EST. |
string |
Maximum length: 63 |
|
||||||||||||||||||||||||
|
est-http-password |
HTTP Authentication password for signing via EST. |
string |
Maximum length: 132 |
|
||||||||||||||||||||||||
|
est-client-cert |
Certificate used to authenticate this FortiGate to EST server. |
string |
Maximum length: 79 |
|
||||||||||||||||||||||||
|
est-server-cert |
EST server's certificate must be verifiable by this certificate to be authenticated. |
string |
Maximum length: 79 |
|
||||||||||||||||||||||||
|
est-srp-username |
EST SRP authentication username. |
string |
Maximum length: 63 |
|
||||||||||||||||||||||||
|
est-srp-password |
EST SRP authentication password. |
string |
Maximum length: 132 |
|
||||||||||||||||||||||||
|
est-regeneration-method |
EST behavioral options during re-enrollment. |
option |
- |
create-new-key |
||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||
|
gch-url |
Google Cloud HSM key URL (e.g. "https://cloudkms.googleapis.com/v1/projects/sampleproject/locations/samplelocation/keyRings/samplekeyring/cryptoKeys/sampleKeyName/cryptoKeyVersions/1"). |
string |
Maximum length: 1024 |
|
||||||||||||||||||||||||
|
gch-project |
Google Cloud HSM project ID. |
string |
Maximum length: 31 |
|
||||||||||||||||||||||||
|
gch-location |
Google Cloud HSM location. |
string |
Maximum length: 63 |
|
||||||||||||||||||||||||
|
gch-keyring |
Google Cloud HSM keyring. |
string |
Maximum length: 63 |
|
||||||||||||||||||||||||
|
gch-cryptokey |
Google Cloud HSM cryptokey. |
string |
Maximum length: 63 |
|
||||||||||||||||||||||||
|
gch-cryptokey-version |
Google Cloud HSM cryptokey version. |
string |
Maximum length: 31 |
|
||||||||||||||||||||||||
|
gch-cloud-service-name |
Cloud service config name to generate access token. |
string |
Maximum length: 35 |
|
||||||||||||||||||||||||
|
gch-cryptokey-algorithm |
Google Cloud HSM cryptokey algorithm. |
option |
- |
rsa-sign-pkcs1-2048-sha256 |
||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||