Fortinet black logo

CLI Reference

system certificate local

system certificate local

Use this command to edit the comment associated with a server certificate that is stored locally on the FortiWeb appliance.

You can also configure settings for a certificate that works with an HSM (hardware security module). For details about HSM integration, see system hsm info and the FortiWeb Administration Guide:

HTTP://docs.fortinet.com/fortiweb/admin-guides

FortiWeb appliances require these certificates to present when clients request secure connections, including when:

  • Administrators connect to the web UI (HTTPS connections only)
  • Web clients use SSL or TLS to connect to a virtual server, if you have enabled SSL off-loading in the policy (HTTPS connections and Reverse Proxy mode)
  • Web clients use SSL or TLS to connect to a physical server (HTTPS connections and true transparent mode)

FortiWeb appliances also require certificates in order to decrypt and scan HTTPS connections travelling through it if operating in Offline Protection or Transparent Inspection modes.

Which certificate will be used, and how, depends on the purpose.

  • For connections to the web UI, the FortiWeb appliance presents its default certificate. The FortiWeb appliance’s default certificate does not appear in the list of local certificates. It's used only for connections to the web UI and cannot be removed.
  • For SSL off-loading or SSL decryption, upload certificates that do not belong to the FortiWeb appliance, but instead belong to the protected hosts. Then, select which one the FortiWeb appliance will use when configuring the SSL option in a policy or server farm.

For information on how to upload a certificate file, see the FortiWeb Administration Guide:

HTTP://docs.fortinet.com/fortiweb/admin-guides

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config system certificate local

edit "<certificate_name>"

set comment "<comment_str>"

set status {na | ok | pending}

set type {certificate | csr}

set flag {0 | 1}

set is-hsm {no | yes}

set partition-number "<partition_name>"

set certificate "<certificate_str>"

set private-key "<private_key_str>"

set passwd "<password>"

next

end

Variable Description Default

"<certificate_name>"

Enter the name of a certificate file. The maximum length is 63 characters. No default.

comment "<comment_str>"

Enter a description or other comment. If the comment contains more than one word or contains an apostrophe, surround the comment in double quotes ( " ). The maximum length is 127 characters. No default.

status {na | ok | pending}

Indicate the status of an imported certificate:

  • na—Indicates that the certificate was successfully imported, and is currently selected for use by the FortiWeb appliance.
  • ok—Indicates that the certificate was successfully imported but is not selected as the certificate currently in use. To use the certificate, select it in a policy or server farm.
  • pending—Indicates that the certificate request was generated, but must be downloaded, signed, and imported before it can be used as a local certificate.
No default.

type {certificate | csr}

Indicate whether the file is a certificate or a certificate signing request (CSR). No default.

flag {0 | 1}

Indicate if a password was saved. This is used by FortiWeb for backwards compatibility. No default.

is-hsm {no | yes}

Specify whether you configured the CSR for this certificate to work with an integrated HSM. no

partition-number "<partition_name>"

Enter the name of the HSM partition you selected when you created the CSR for this certificate. No default.

certificate "<certificate_str>"

Set the certificate. Only certificates in PEM format may be set. No default.

private-key "<private_key_str>"

Set the private key for the certificate. Only private keys in PEM format may be set. No default.

passwd "<password>"

Enter the password for the certificate. No default.

Example

This example adds a comment to the certificate named certificate1.

config system certificate local

edit "certificate1"

set comment "This is a certificate for the host www.example.com."

next

end

This example adds a certificate named certificate2

config system certificate local

edit "certificate2"

set private-key "-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,82EAF556E3621A07

ZYqcytKrfYGksrp/6rFf4Ma3rIiW/63EiyxHFLSl8NVOLfM+AWHYm5flnKJI4Ava

iZnv64QlmLxTSDgU+/rS9XBaDlg6DKoIDtDTlVvg99vU3I9TrU+LRMPaLCidVw/h

GMlKtvF8UGFACAM1HwTJ/zBejgaAN0ZKcmxDNX0RwgHQwTP1/dwXRae+uk9dK8Ya

kw9jcu5SM7aQuUKEFdvdkhI9fo8uMH8lKwSViaDx50/BZfEQx5+cRHooS/AZfnnr

BjBlaAZA+zjuvp5mbDh76CO8+i+++09e4g5Kj83ZoRfVXkOUonfRug5FvAT7YFEi

lgnG+ChW5BrDtOq25Y4jQcPyqM9dL8lkpMhfK+rayGWVyOfQAX0AtNNM0itbjb7U

m78N71RVjjz4We2QCkIBv5AibsPgJwq54M6VDZ3CIJ+f2QVvvypnN2UjV1epih6N

yS0RxVqwC2HObwdbffviMjH1a5AOSIFnEYHOAwAxIf3nlZWAf1HhW8Oc6IofqTuO

R5SeWnoYxFVFakhGcyMRw3sd/ekTp8tRoK8QbINn3L38AEMtp8HKSHWm+MWdIQeK

WNYW4AZsrKfmXIQpGzuaan50fh6y6eVevxB9zx/uVN2XxD/TmDs5KnLjw7A4ks7V

Ds0c8bSLOT8BE+qfb7I/mUjVbsbGxgX40ducmm/C7HR/bgbSV2u6PK92ieQ22q6q

7RATzFtvHuJ3OmJtrMKhlHGMHVSA01GhheL3m2JhHMKMoJfwhYLab1+UCV4n5GOi

MogQY9UQ022WRCtpTPes5Sl5IMVY/Oj1nP/QcUMK8a7iPtAZWPYN7HEPXDfU/Urm

52HbC0fSQ/eGG5gQ7kDy9N/aLZf9wDMgj5zjX2lmnMT/h1sD29+bUCoo4ODT2Kk1

i6HyZX+J6KNDYM5aNOdhyZabVZBZOU1GvtLMzzrd5pEugFs7Rzt0+NJ54d7jGgav

0QwKCKIDevSdZG0ZeXLTvQONF9Pzo6i/E3uwIKuHFAnTAtq6UrKveRLtWWXuSBim

AAifL8s23T0BJAa75C6b3+F5IUTC/K9e5vrUbBDWDsjSjsWgbkoPBDlEpWLI+Ogu

Th6nZeQx0U+gt1bC+bJTIKdVDbxgjVGXIEvmnzc7KU0cBHmmIQggqfQwdVTeSVUx

z9JefVD9accpoem6ghdS/0xaQztbdvb5NAM9LX2o/HFECThcLWGke/jxgAKvFQX4

MZBFy1UukQeCgHfwJCIMw1D/tupKwAqzsvm351E0C8eTuC1OWFvtkzQNoFkyD2vS

gWSFKz85nswSMkobWFNJxMmDuS1QlAHUFuzpcVOJgrE6DMpdYE3DeKmsVMsLsNM/

l7H3SlnvEptVf3fm5PpCxtOM60nqsQuveHEgkmk5gt8CLtE8bV81yv7JDvkXUFV2

5HlFRZ/RZAQgAeKiAS6REwHuE/dEhZKh7Jq2o02G0NXeAXR/WqeN0SWSw0dEVf39

TMARg27X27zx0Wg2g8pBC1nxA1zyzMfYI2OTwvFZFNPVenGCVUw1dFt8eolAOscO

LakQuCWrFrW7kiRQlxVK/o67fKTkBVt7zM5WjBEO3beGWe2TkRUWUg==

-----END RSA PRIVATE KEY-----"

set certificate "-----BEGIN CERTIFICATE-----

MIIDkjCCAnoCCQCbXq6VYR1CijANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMC

SU4xEjAQBgNVBAgMCUthcm5hdGFrYTESMBAGA1UEBwwJQmFuZ2Fsb3JlMREwDwYD

VQQKDAhGb3J0aW5ldDEMMAoGA1UECwwDTEFCMQ0wCwYDVQQDDAR0ZXN0MSMwIQYJ

KoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0LmNvbTAeFw0xMjEyMDUxMDE1NTla

Fw0xNDEyMDUxMDE1NTlaMIGKMQswCQYDVQQGEwJJTjESMBAGA1UECAwJS2FybmF0

YWthMRIwEAYDVQQHDAlCYW5nYWxvcmUxETAPBgNVBAoMCEZvcnRpbmV0MQwwCgYD

VQQLDANMQUIxDTALBgNVBAMMBHRlc3QxIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRA

Zm9ydGluZXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArvHH

eXZJilTr4TbH/5O5jFxKQ5dILr/561JOJ5UZWtgs9VhXSuCzmrs6FX35vyc7NR+9

tCbMrl7qA68MxBMuu6phf2r77M9bsp3rOZE2nFR+lhjpWrXBk7/puFLBbI2yqh8d

7DB25m5pI0ClmbdJ5GGlc/1wHULQhFQSYCMSVjc34esvaLE8oAVFWHAZX14dbAbj

gC4CMbayzJZaYEfh/7suMwvdwS3sYjOwZYq6DFEF5ZPpKN+ji9J+8EmAvaZS2m3M

fFdPFf4eEAgsHmYasqxH7s4Ksc2zTm3cG5srRCqEsEddhoblI1JvmApoN2JiNiYJ

hYiEPyJdf2z+dADwXwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCbA8kKwVRPri/d

L8okLny6FygJ0auPbuRQCUGAWpfdKdXn6iyMlLuR066j82o2yrQ0ddgRcdaExT0I

RCoC2NqhzZvy8JJW2A+KTXutwdGGg8ckHQ5UVRtNo/lPZ6Quz8AsswzNk2Qx6OtF

FcTEBNxVTHKabQR46ChIa3sG032Wiuj6Y2Rv77mTmmDRZnrY8QGZd2zMm3riAqUf

IGil0/yg0AhA+ZBt5rer3X+GTknhDAPJ+yU2WS1c8pPj3A3DI0+xwTOq/sNCqTmc

xb7Q1VM/1kiOE9YaPasAJuQ7WHmnd8J0vHw1/e+whf/lsKxV0ClBNL/JdlyNAMvy

isnZYL58

-----END CERTIFICATE-----"

next

end

Related topics

system certificate local

system certificate local

Use this command to edit the comment associated with a server certificate that is stored locally on the FortiWeb appliance.

You can also configure settings for a certificate that works with an HSM (hardware security module). For details about HSM integration, see system hsm info and the FortiWeb Administration Guide:

HTTP://docs.fortinet.com/fortiweb/admin-guides

FortiWeb appliances require these certificates to present when clients request secure connections, including when:

  • Administrators connect to the web UI (HTTPS connections only)
  • Web clients use SSL or TLS to connect to a virtual server, if you have enabled SSL off-loading in the policy (HTTPS connections and Reverse Proxy mode)
  • Web clients use SSL or TLS to connect to a physical server (HTTPS connections and true transparent mode)

FortiWeb appliances also require certificates in order to decrypt and scan HTTPS connections travelling through it if operating in Offline Protection or Transparent Inspection modes.

Which certificate will be used, and how, depends on the purpose.

  • For connections to the web UI, the FortiWeb appliance presents its default certificate. The FortiWeb appliance’s default certificate does not appear in the list of local certificates. It's used only for connections to the web UI and cannot be removed.
  • For SSL off-loading or SSL decryption, upload certificates that do not belong to the FortiWeb appliance, but instead belong to the protected hosts. Then, select which one the FortiWeb appliance will use when configuring the SSL option in a policy or server farm.

For information on how to upload a certificate file, see the FortiWeb Administration Guide:

HTTP://docs.fortinet.com/fortiweb/admin-guides

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config system certificate local

edit "<certificate_name>"

set comment "<comment_str>"

set status {na | ok | pending}

set type {certificate | csr}

set flag {0 | 1}

set is-hsm {no | yes}

set partition-number "<partition_name>"

set certificate "<certificate_str>"

set private-key "<private_key_str>"

set passwd "<password>"

next

end

Variable Description Default

"<certificate_name>"

Enter the name of a certificate file. The maximum length is 63 characters. No default.

comment "<comment_str>"

Enter a description or other comment. If the comment contains more than one word or contains an apostrophe, surround the comment in double quotes ( " ). The maximum length is 127 characters. No default.

status {na | ok | pending}

Indicate the status of an imported certificate:

  • na—Indicates that the certificate was successfully imported, and is currently selected for use by the FortiWeb appliance.
  • ok—Indicates that the certificate was successfully imported but is not selected as the certificate currently in use. To use the certificate, select it in a policy or server farm.
  • pending—Indicates that the certificate request was generated, but must be downloaded, signed, and imported before it can be used as a local certificate.
No default.

type {certificate | csr}

Indicate whether the file is a certificate or a certificate signing request (CSR). No default.

flag {0 | 1}

Indicate if a password was saved. This is used by FortiWeb for backwards compatibility. No default.

is-hsm {no | yes}

Specify whether you configured the CSR for this certificate to work with an integrated HSM. no

partition-number "<partition_name>"

Enter the name of the HSM partition you selected when you created the CSR for this certificate. No default.

certificate "<certificate_str>"

Set the certificate. Only certificates in PEM format may be set. No default.

private-key "<private_key_str>"

Set the private key for the certificate. Only private keys in PEM format may be set. No default.

passwd "<password>"

Enter the password for the certificate. No default.

Example

This example adds a comment to the certificate named certificate1.

config system certificate local

edit "certificate1"

set comment "This is a certificate for the host www.example.com."

next

end

This example adds a certificate named certificate2

config system certificate local

edit "certificate2"

set private-key "-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,82EAF556E3621A07

ZYqcytKrfYGksrp/6rFf4Ma3rIiW/63EiyxHFLSl8NVOLfM+AWHYm5flnKJI4Ava

iZnv64QlmLxTSDgU+/rS9XBaDlg6DKoIDtDTlVvg99vU3I9TrU+LRMPaLCidVw/h

GMlKtvF8UGFACAM1HwTJ/zBejgaAN0ZKcmxDNX0RwgHQwTP1/dwXRae+uk9dK8Ya

kw9jcu5SM7aQuUKEFdvdkhI9fo8uMH8lKwSViaDx50/BZfEQx5+cRHooS/AZfnnr

BjBlaAZA+zjuvp5mbDh76CO8+i+++09e4g5Kj83ZoRfVXkOUonfRug5FvAT7YFEi

lgnG+ChW5BrDtOq25Y4jQcPyqM9dL8lkpMhfK+rayGWVyOfQAX0AtNNM0itbjb7U

m78N71RVjjz4We2QCkIBv5AibsPgJwq54M6VDZ3CIJ+f2QVvvypnN2UjV1epih6N

yS0RxVqwC2HObwdbffviMjH1a5AOSIFnEYHOAwAxIf3nlZWAf1HhW8Oc6IofqTuO

R5SeWnoYxFVFakhGcyMRw3sd/ekTp8tRoK8QbINn3L38AEMtp8HKSHWm+MWdIQeK

WNYW4AZsrKfmXIQpGzuaan50fh6y6eVevxB9zx/uVN2XxD/TmDs5KnLjw7A4ks7V

Ds0c8bSLOT8BE+qfb7I/mUjVbsbGxgX40ducmm/C7HR/bgbSV2u6PK92ieQ22q6q

7RATzFtvHuJ3OmJtrMKhlHGMHVSA01GhheL3m2JhHMKMoJfwhYLab1+UCV4n5GOi

MogQY9UQ022WRCtpTPes5Sl5IMVY/Oj1nP/QcUMK8a7iPtAZWPYN7HEPXDfU/Urm

52HbC0fSQ/eGG5gQ7kDy9N/aLZf9wDMgj5zjX2lmnMT/h1sD29+bUCoo4ODT2Kk1

i6HyZX+J6KNDYM5aNOdhyZabVZBZOU1GvtLMzzrd5pEugFs7Rzt0+NJ54d7jGgav

0QwKCKIDevSdZG0ZeXLTvQONF9Pzo6i/E3uwIKuHFAnTAtq6UrKveRLtWWXuSBim

AAifL8s23T0BJAa75C6b3+F5IUTC/K9e5vrUbBDWDsjSjsWgbkoPBDlEpWLI+Ogu

Th6nZeQx0U+gt1bC+bJTIKdVDbxgjVGXIEvmnzc7KU0cBHmmIQggqfQwdVTeSVUx

z9JefVD9accpoem6ghdS/0xaQztbdvb5NAM9LX2o/HFECThcLWGke/jxgAKvFQX4

MZBFy1UukQeCgHfwJCIMw1D/tupKwAqzsvm351E0C8eTuC1OWFvtkzQNoFkyD2vS

gWSFKz85nswSMkobWFNJxMmDuS1QlAHUFuzpcVOJgrE6DMpdYE3DeKmsVMsLsNM/

l7H3SlnvEptVf3fm5PpCxtOM60nqsQuveHEgkmk5gt8CLtE8bV81yv7JDvkXUFV2

5HlFRZ/RZAQgAeKiAS6REwHuE/dEhZKh7Jq2o02G0NXeAXR/WqeN0SWSw0dEVf39

TMARg27X27zx0Wg2g8pBC1nxA1zyzMfYI2OTwvFZFNPVenGCVUw1dFt8eolAOscO

LakQuCWrFrW7kiRQlxVK/o67fKTkBVt7zM5WjBEO3beGWe2TkRUWUg==

-----END RSA PRIVATE KEY-----"

set certificate "-----BEGIN CERTIFICATE-----

MIIDkjCCAnoCCQCbXq6VYR1CijANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMC

SU4xEjAQBgNVBAgMCUthcm5hdGFrYTESMBAGA1UEBwwJQmFuZ2Fsb3JlMREwDwYD

VQQKDAhGb3J0aW5ldDEMMAoGA1UECwwDTEFCMQ0wCwYDVQQDDAR0ZXN0MSMwIQYJ

KoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0LmNvbTAeFw0xMjEyMDUxMDE1NTla

Fw0xNDEyMDUxMDE1NTlaMIGKMQswCQYDVQQGEwJJTjESMBAGA1UECAwJS2FybmF0

YWthMRIwEAYDVQQHDAlCYW5nYWxvcmUxETAPBgNVBAoMCEZvcnRpbmV0MQwwCgYD

VQQLDANMQUIxDTALBgNVBAMMBHRlc3QxIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRA

Zm9ydGluZXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArvHH

eXZJilTr4TbH/5O5jFxKQ5dILr/561JOJ5UZWtgs9VhXSuCzmrs6FX35vyc7NR+9

tCbMrl7qA68MxBMuu6phf2r77M9bsp3rOZE2nFR+lhjpWrXBk7/puFLBbI2yqh8d

7DB25m5pI0ClmbdJ5GGlc/1wHULQhFQSYCMSVjc34esvaLE8oAVFWHAZX14dbAbj

gC4CMbayzJZaYEfh/7suMwvdwS3sYjOwZYq6DFEF5ZPpKN+ji9J+8EmAvaZS2m3M

fFdPFf4eEAgsHmYasqxH7s4Ksc2zTm3cG5srRCqEsEddhoblI1JvmApoN2JiNiYJ

hYiEPyJdf2z+dADwXwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCbA8kKwVRPri/d

L8okLny6FygJ0auPbuRQCUGAWpfdKdXn6iyMlLuR066j82o2yrQ0ddgRcdaExT0I

RCoC2NqhzZvy8JJW2A+KTXutwdGGg8ckHQ5UVRtNo/lPZ6Quz8AsswzNk2Qx6OtF

FcTEBNxVTHKabQR46ChIa3sG032Wiuj6Y2Rv77mTmmDRZnrY8QGZd2zMm3riAqUf

IGil0/yg0AhA+ZBt5rer3X+GTknhDAPJ+yU2WS1c8pPj3A3DI0+xwTOq/sNCqTmc

xb7Q1VM/1kiOE9YaPasAJuQ7WHmnd8J0vHw1/e+whf/lsKxV0ClBNL/JdlyNAMvy

isnZYL58

-----END CERTIFICATE-----"

next

end

Related topics