config vpn certificate setting
VPN certificate setting.
config vpn certificate setting Description: VPN certificate setting. set certname-dsa1024 {string} set certname-dsa2048 {string} set certname-ecdsa256 {string} set certname-ecdsa384 {string} set certname-ecdsa521 {string} set certname-ed25519 {string} set certname-ed448 {string} set certname-rsa1024 {string} set certname-rsa2048 {string} set certname-rsa4096 {string} set check-ca-cert [enable|disable] set check-ca-chain [enable|disable] set cmp-key-usage-checking [enable|disable] set cmp-save-extra-certs [enable|disable] set cn-match [substring|value] set interface {string} set interface-select-method [auto|sdwan|...] set ocsp-default-server {string} set ocsp-option [certificate|server] set ocsp-status [enable|disable] set ssl-min-proto-version [default|SSLv3|...] set ssl-ocsp-source-ip {ipv4-address} set strict-crl-check [enable|disable] set strict-ocsp-check [enable|disable] set subject-match [substring|value] end
config vpn certificate setting
Parameter |
Description |
Type |
Size |
Default |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
certname-dsa1024 |
1024 bit DSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_DSA1024 |
||||||||||||
certname-dsa2048 |
2048 bit DSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_DSA2048 |
||||||||||||
certname-ecdsa256 |
256 bit ECDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ECDSA256 |
||||||||||||
certname-ecdsa384 |
384 bit ECDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ECDSA384 |
||||||||||||
certname-ecdsa521 |
521 bit ECDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ECDSA521 |
||||||||||||
certname-ed25519 |
253 bit EdDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ED25519 |
||||||||||||
certname-ed448 |
456 bit EdDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ED448 |
||||||||||||
certname-rsa1024 |
1024 bit RSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_RSA1024 |
||||||||||||
certname-rsa2048 |
2048 bit RSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_RSA2048 |
||||||||||||
certname-rsa4096 |
4096 bit RSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_RSA4096 |
||||||||||||
check-ca-cert |
Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted. |
option |
- |
enable |
||||||||||||
|
|
|||||||||||||||
check-ca-chain |
Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
cmp-key-usage-checking |
Enable/disable server certificate key usage checking in CMP mode. |
option |
- |
enable |
||||||||||||
|
|
|||||||||||||||
cmp-save-extra-certs |
Enable/disable saving extra certificates in CMP mode. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
cn-match |
When searching for a matching certificate, control how to find matches in the cn attribute of the certificate subject name. |
option |
- |
substring |
||||||||||||
|
|
|||||||||||||||
interface |
Specify outgoing interface to reach server. |
string |
Maximum length: 15 |
|
||||||||||||
interface-select-method |
Specify how to select outgoing interface to reach server. |
option |
- |
auto |
||||||||||||
|
|
|||||||||||||||
ocsp-default-server |
Default OCSP server. |
string |
Maximum length: 35 |
|
||||||||||||
ocsp-option |
Specify whether the OCSP URL is from certificate or configured OCSP server. |
option |
- |
server |
||||||||||||
|
|
|||||||||||||||
ocsp-status |
Enable/disable receiving certificates using the OCSP. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
ssl-min-proto-version |
Minimum supported protocol version for SSL/TLS connections. |
option |
- |
default |
||||||||||||
|
|
|||||||||||||||
ssl-ocsp-source-ip |
Source IP address to use to communicate with the OCSP server. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||||||||
strict-crl-check |
Enable/disable strict mode CRL checking. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
strict-ocsp-check |
Enable/disable strict mode OCSP checking. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
subject-match |
When searching for a matching certificate, control how to find matches in the certificate subject name. |
option |
- |
substring |
||||||||||||
|
|