Fortinet black logo

CLI Reference

system certificate ca-group

system certificate ca-group

Use this command to group certificate authorities (CA).

CAs must belong to a group in order to be selected in a certificate verification rule.

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config system certificate ca-group

edit "<ca-group_name>"

config members

edit <ca_index>

set type {CA | TSL}

set publish-dn {enable | disable}

set tsl "<tsl_name>"

set name "<ca_name>"

next

end

next

end

Variable Description Default

"<ca-group_name>"

Enter the name of a certificate authority (CA) group. The maximum length is 63 characters. No default.

<ca_index>

Enter the index number of a CA within its group. The valid range is 1–999,999,999,999,999,999. No default.

name "<ca_name>"

Enter the name of a previously uploaded CA certificate. No default.

type {CA | TSL}

Select to upload CA certificate or TSL. CA
tsl "<tsl_name>" Enter the name of a TSL. No default.

publish-dn {enable | disable}

Enable to list only certificates related to the specified CA Group. This is beneficial when a client installs many certificates in its browser or when apps don't list client certificates. If you enable this option, also enable the option in a certificate verification rule. For details, see system certificate verify.

enable

Example

This example groups two CA certificates into a CA group named caVEndors1.

config system certificate ca-group

edit "caVendors1"

config members

edit 1

set name "CA_Cert_1"

next

edit 2

set "name CA_Cert_2"

next

end

next

end

Related topics

system certificate ca-group

Use this command to group certificate authorities (CA).

CAs must belong to a group in order to be selected in a certificate verification rule.

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config system certificate ca-group

edit "<ca-group_name>"

config members

edit <ca_index>

set type {CA | TSL}

set publish-dn {enable | disable}

set tsl "<tsl_name>"

set name "<ca_name>"

next

end

next

end

Variable Description Default

"<ca-group_name>"

Enter the name of a certificate authority (CA) group. The maximum length is 63 characters. No default.

<ca_index>

Enter the index number of a CA within its group. The valid range is 1–999,999,999,999,999,999. No default.

name "<ca_name>"

Enter the name of a previously uploaded CA certificate. No default.

type {CA | TSL}

Select to upload CA certificate or TSL. CA
tsl "<tsl_name>" Enter the name of a TSL. No default.

publish-dn {enable | disable}

Enable to list only certificates related to the specified CA Group. This is beneficial when a client installs many certificates in its browser or when apps don't list client certificates. If you enable this option, also enable the option in a certificate verification rule. For details, see system certificate verify.

enable

Example

This example groups two CA certificates into a CA group named caVEndors1.

config system certificate ca-group

edit "caVendors1"

config members

edit 1

set name "CA_Cert_1"

next

edit 2

set "name CA_Cert_2"

next

end

next

end

Related topics