Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    6.4.4
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    config vpn certificate setting

    config vpn certificate setting

    VPN certificate setting.

    config vpn certificate setting

    Description: VPN certificate setting.

    set ocsp-status [enable|disable]

    set ocsp-option [certificate|server]

    set ssl-ocsp-source-ip {ipv4-address}

    set ocsp-default-server {string}

    set interface-select-method [auto|sdwan|...]

    set interface {string}

    set check-ca-cert [enable|disable]

    set check-ca-chain [enable|disable]

    set subject-match [substring|value]

    set cn-match [substring|value]

    set strict-crl-check [enable|disable]

    set strict-ocsp-check [enable|disable]

    set ssl-min-proto-version [default|SSLv3|...]

    set cmp-save-extra-certs [enable|disable]

    set cmp-key-usage-checking [enable|disable]

    set certname-rsa1024 {string}

    set certname-rsa2048 {string}

    set certname-rsa4096 {string}

    set certname-dsa1024 {string}

    set certname-dsa2048 {string}

    set certname-ecdsa256 {string}

    set certname-ecdsa384 {string}

    set certname-ecdsa521 {string}

    set certname-ed25519 {string}

    set certname-ed448 {string}

    end

    config vpn certificate setting

    Parameter name

    Description

    Type

    Size

    ocsp-status

    Enable/disable receiving certificates using the OCSP.

    option

    -

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    ocsp-option

    Specify whether the OCSP URL is from certificate or configured OCSP server.

    option

    -

    Option

    Description

    certificate

    Use URL from certificate.

    server

    Use URL from configured OCSP server.

    ssl-ocsp-source-ip

    Source IP address to use to communicate with the OCSP server.

    ipv4-address

    Not Specified

    ocsp-default-server

    Default OCSP server.

    string

    Maximum length: 35

    interface-select-method

    Specify how to select outgoing interface to reach server.

    option

    -

    Option

    Description

    auto

    Set outgoing interface automatically.

    sdwan

    Set outgoing interface by SD-WAN or policy routing rules.

    specify

    Set outgoing interface manually.

    interface

    Specify outgoing interface to reach server.

    string

    Maximum length: 15

    check-ca-cert

    Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted (default = enable).

    option

    -

    Option

    Description

    enable

    Enable verification of the user certificate.

    disable

    Disable verification of the user certificate.

    check-ca-chain

    Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted (default = disable).

    option

    -

    Option

    Description

    enable

    Enable verification of the entire certificate chain.

    disable

    Disable verification of the entire certificate chain.

    subject-match

    When searching for a matching certificate, control how to find matches in the certificate subject name.

    option

    -

    Option

    Description

    substring

    Find a match if any string in the certificate subject name matches the name being searched for.

    value

    Find a match if any attribute value string in a certificate subject name is an exact match with the name being searched for.

    cn-match

    When searching for a matching certificate, control how to find matches in the cn attribute of the certificate subject name.

    option

    -

    Option

    Description

    substring

    Find a match if any string in a certificate subject name cn attribute name matches the name being searched for.

    value

    Find a match if the cn attribute value string is an exact match with the name being searched for.

    strict-crl-check

    Enable/disable strict mode CRL checking.

    option

    -

    Option

    Description

    enable

    Enable strict mode CRL checking.

    disable

    Disable strict mode CRL checking.

    strict-ocsp-check

    Enable/disable strict mode OCSP checking.

    option

    -

    Option

    Description

    enable

    Enable strict mode OCSP checking.

    disable

    Disable strict mode OCSP checking.

    ssl-min-proto-version

    Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).

    option

    -

    Option

    Description

    default

    Follow system global setting.

    SSLv3

    SSLv3.

    TLSv1

    TLSv1.

    TLSv1-1

    TLSv1.1.

    TLSv1-2

    TLSv1.2.

    cmp-save-extra-certs

    Enable/disable saving extra certificates in CMP mode (default = disable).

    option

    -

    Option

    Description

    enable

    Enable saving extra certificates in CMP mode.

    disable

    Disable saving extra certificates in CMP mode.

    cmp-key-usage-checking

    Enable/disable server certificate key usage checking in CMP mode (default = enable).

    option

    -

    Option

    Description

    enable

    Enable server certificate key usage checking in CMP mode.

    disable

    Disable server certificate key usage checking in CMP mode.

    certname-rsa1024

    1024 bit RSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    certname-rsa2048

    2048 bit RSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    certname-rsa4096

    4096 bit RSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    certname-dsa1024

    1024 bit DSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    certname-dsa2048

    2048 bit DSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    certname-ecdsa256

    256 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    certname-ecdsa384

    384 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    certname-ecdsa521

    521 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    certname-ed25519

    253 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    certname-ed448

    456 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35
    Previous
    Next

    config vpn certificate setting

    config vpn certificate setting

    VPN certificate setting.

    config vpn certificate setting

    Description: VPN certificate setting.

    set ocsp-status [enable|disable]

    set ocsp-option [certificate|server]

    set ssl-ocsp-source-ip {ipv4-address}

    set ocsp-default-server {string}

    set interface-select-method [auto|sdwan|...]

    set interface {string}

    set check-ca-cert [enable|disable]

    set check-ca-chain [enable|disable]

    set subject-match [substring|value]

    set cn-match [substring|value]

    set strict-crl-check [enable|disable]

    set strict-ocsp-check [enable|disable]

    set ssl-min-proto-version [default|SSLv3|...]

    set cmp-save-extra-certs [enable|disable]

    set cmp-key-usage-checking [enable|disable]

    set certname-rsa1024 {string}

    set certname-rsa2048 {string}

    set certname-rsa4096 {string}

    set certname-dsa1024 {string}

    set certname-dsa2048 {string}

    set certname-ecdsa256 {string}

    set certname-ecdsa384 {string}

    set certname-ecdsa521 {string}

    set certname-ed25519 {string}

    set certname-ed448 {string}

    end

    config vpn certificate setting

    Parameter name

    Description

    Type

    Size

    ocsp-status

    Enable/disable receiving certificates using the OCSP.

    option

    -

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    ocsp-option

    Specify whether the OCSP URL is from certificate or configured OCSP server.

    option

    -

    Option

    Description

    certificate

    Use URL from certificate.

    server

    Use URL from configured OCSP server.

    ssl-ocsp-source-ip

    Source IP address to use to communicate with the OCSP server.

    ipv4-address

    Not Specified

    ocsp-default-server

    Default OCSP server.

    string

    Maximum length: 35

    interface-select-method

    Specify how to select outgoing interface to reach server.

    option

    -

    Option

    Description

    auto

    Set outgoing interface automatically.

    sdwan

    Set outgoing interface by SD-WAN or policy routing rules.

    specify

    Set outgoing interface manually.

    interface

    Specify outgoing interface to reach server.

    string

    Maximum length: 15

    check-ca-cert

    Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted (default = enable).

    option

    -

    Option

    Description

    enable

    Enable verification of the user certificate.

    disable

    Disable verification of the user certificate.

    check-ca-chain

    Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted (default = disable).

    option

    -

    Option

    Description

    enable

    Enable verification of the entire certificate chain.

    disable

    Disable verification of the entire certificate chain.

    subject-match

    When searching for a matching certificate, control how to find matches in the certificate subject name.

    option

    -

    Option

    Description

    substring

    Find a match if any string in the certificate subject name matches the name being searched for.

    value

    Find a match if any attribute value string in a certificate subject name is an exact match with the name being searched for.

    cn-match

    When searching for a matching certificate, control how to find matches in the cn attribute of the certificate subject name.

    option

    -

    Option

    Description

    substring

    Find a match if any string in a certificate subject name cn attribute name matches the name being searched for.

    value

    Find a match if the cn attribute value string is an exact match with the name being searched for.

    strict-crl-check

    Enable/disable strict mode CRL checking.

    option

    -

    Option

    Description

    enable

    Enable strict mode CRL checking.

    disable

    Disable strict mode CRL checking.

    strict-ocsp-check

    Enable/disable strict mode OCSP checking.

    option

    -

    Option

    Description

    enable

    Enable strict mode OCSP checking.

    disable

    Disable strict mode OCSP checking.

    ssl-min-proto-version

    Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).

    option

    -

    Option

    Description

    default

    Follow system global setting.

    SSLv3

    SSLv3.

    TLSv1

    TLSv1.

    TLSv1-1

    TLSv1.1.

    TLSv1-2

    TLSv1.2.

    cmp-save-extra-certs

    Enable/disable saving extra certificates in CMP mode (default = disable).

    option

    -

    Option

    Description

    enable

    Enable saving extra certificates in CMP mode.

    disable

    Disable saving extra certificates in CMP mode.

    cmp-key-usage-checking

    Enable/disable server certificate key usage checking in CMP mode (default = enable).

    option

    -

    Option

    Description

    enable

    Enable server certificate key usage checking in CMP mode.

    disable

    Disable server certificate key usage checking in CMP mode.

    certname-rsa1024

    1024 bit RSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    certname-rsa2048

    2048 bit RSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    certname-rsa4096

    4096 bit RSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    certname-dsa1024

    1024 bit DSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    certname-dsa2048

    2048 bit DSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    certname-ecdsa256

    256 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    certname-ecdsa384

    384 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    certname-ecdsa521

    521 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    certname-ed25519

    253 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35

    certname-ed448

    456 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Maximum length: 35
    Previous
    Next