Fortinet black logo

CLI Reference

system certificate ca-group

system certificate ca-group

Use this command to group certificate authorities (CA).

CAs must belong to a group in order to be selected in a certificate verification rule.

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config system certificate ca-group

edit "<ca-group_name>"

config members

edit <ca_index>

set type {CA | TSL}

set publish-dn {enable | disable}

set tsl "<tsl_name>"

set name "<ca_name>"

set trust-anchor {enable | disable}

next

end

next

end

Variable Description Default

"<ca-group_name>"

Enter the name of a certificate authority (CA) group. The maximum length is 63 characters. No default.

<ca_index>

Enter the index number of a CA within its group. The valid range is 1–999,999,999,999,999,999. No default.

name "<ca_name>"

Enter the name of a previously uploaded CA certificate. No default.

type {CA | TSL}

Select to upload CA certificate or TSL. CA
tsl "<tsl_name>" Enter the name of a TSL. No default.

publish-dn {enable | disable}

Enable to list only certificates related to the specified CA Group. This is beneficial when a client installs many certificates in its browser or when apps don't list client certificates. If you enable this option, also enable the option in a certificate verification rule. For details, see system certificate verify.

enable

trust-anchor {enable | disable}

If partial-chain is enabled in config system certificate verify, you need to enable trust anchor for the system to perform partial chain verification.

disable

Example

This example groups two CA certificates into a CA group named caVEndors1.

config system certificate ca-group

edit "caVendors1"

config members

edit 1

set name "CA_Cert_1"

next

edit 2

set "name CA_Cert_2"

next

end

next

end

Related topics

system certificate ca-group

Use this command to group certificate authorities (CA).

CAs must belong to a group in order to be selected in a certificate verification rule.

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config system certificate ca-group

edit "<ca-group_name>"

config members

edit <ca_index>

set type {CA | TSL}

set publish-dn {enable | disable}

set tsl "<tsl_name>"

set name "<ca_name>"

set trust-anchor {enable | disable}

next

end

next

end

Variable Description Default

"<ca-group_name>"

Enter the name of a certificate authority (CA) group. The maximum length is 63 characters. No default.

<ca_index>

Enter the index number of a CA within its group. The valid range is 1–999,999,999,999,999,999. No default.

name "<ca_name>"

Enter the name of a previously uploaded CA certificate. No default.

type {CA | TSL}

Select to upload CA certificate or TSL. CA
tsl "<tsl_name>" Enter the name of a TSL. No default.

publish-dn {enable | disable}

Enable to list only certificates related to the specified CA Group. This is beneficial when a client installs many certificates in its browser or when apps don't list client certificates. If you enable this option, also enable the option in a certificate verification rule. For details, see system certificate verify.

enable

trust-anchor {enable | disable}

If partial-chain is enabled in config system certificate verify, you need to enable trust anchor for the system to perform partial chain verification.

disable

Example

This example groups two CA certificates into a CA group named caVEndors1.

config system certificate ca-group

edit "caVendors1"

config members

edit 1

set name "CA_Cert_1"

next

edit 2

set "name CA_Cert_2"

next

end

next

end

Related topics