Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    7.2.2
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    config vpn certificate setting

    config vpn certificate setting

    VPN certificate setting.

    config vpn certificate setting

    Description: VPN certificate setting.

    set ocsp-status [enable|disable]

    set ocsp-option [certificate|server]

    set ssl-ocsp-source-ip {ipv4-address}

    set ocsp-default-server {string}

    set interface-select-method [auto|sdwan|...]

    set interface {string}

    set check-ca-cert [enable|disable]

    set check-ca-chain [enable|disable]

    set subject-match [substring|value]

    set subject-set [subset|superset]

    set cn-match [substring|value]

    set cn-allow-multi [disable|enable]

    config crl-verification

    Description: CRL verification options.

    set expiry [ignore|revoke]

    set leaf-crl-absence [ignore|revoke]

    set chain-crl-absence [ignore|revoke]

    end

    set strict-ocsp-check [enable|disable]

    set ssl-min-proto-version [default|SSLv3|...]

    set cmp-save-extra-certs [enable|disable]

    set cmp-key-usage-checking [enable|disable]

    set cert-expire-warning {integer}

    set certname-rsa1024 {string}

    set certname-rsa2048 {string}

    set certname-rsa4096 {string}

    set certname-dsa1024 {string}

    set certname-dsa2048 {string}

    set certname-ecdsa256 {string}

    set certname-ecdsa384 {string}

    set certname-ecdsa521 {string}

    set certname-ed25519 {string}

    set certname-ed448 {string}

    end

    config vpn certificate setting

    Parameter

    Description

    Type

    Size

    Default

    ocsp-status

    Enable/disable receiving certificates using the OCSP.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    ocsp-option

    Specify whether the OCSP URL is from certificate or configured OCSP server.

    option

    -

    server

    Option

    Description

    certificate

    Use URL from certificate.

    server

    Use URL from configured OCSP server.

    ssl-ocsp-source-ip

    Source IP address to use to communicate with the OCSP server.

    ipv4-address

    Not Specified

    0.0.0.0

    ocsp-default-server

    Default OCSP server.

    string

    Not Specified

    interface-select-method

    Specify how to select outgoing interface to reach server.

    option

    -

    auto

    Option

    Description

    auto

    Set outgoing interface automatically.

    sdwan

    Set outgoing interface by SD-WAN or policy routing rules.

    specify

    Set outgoing interface manually.

    interface

    Specify outgoing interface to reach server.

    string

    Not Specified

    check-ca-cert

    Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted .

    option

    -

    enable

    Option

    Description

    enable

    Enable verification of the user certificate.

    disable

    Disable verification of the user certificate.

    check-ca-chain

    Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted .

    option

    -

    disable

    Option

    Description

    enable

    Enable verification of the entire certificate chain.

    disable

    Disable verification of the entire certificate chain.

    subject-match

    When searching for a matching certificate, control how to do RDN value matching with certificate subject name .

    option

    -

    substring

    Option

    Description

    substring

    Find a match if the name being searched for is a part or the same as a certificate subject RDN.

    value

    Find a match if the name being searched for is same as a certificate subject RDN.

    subject-set

    When searching for a matching certificate, control how to do RDN set matching with certificate subject name .

    option

    -

    subset

    Option

    Description

    subset

    Find a match if the name being searched for is a subset of a certificate subject.

    superset

    Find a match if the name being searched for is a superset of a certificate subject.

    cn-match

    When searching for a matching certificate, control how to do CN value matching with certificate subject name .

    option

    -

    substring

    Option

    Description

    substring

    Find a match if the name being searched for is a part or the same as a certificate CN.

    value

    Find a match if the name being searched for is same as a certificate CN.

    cn-allow-multi

    When searching for a matching certificate, allow multiple CN fields in certificate subject name .

    option

    -

    enable

    Option

    Description

    disable

    Does not allow multiple CN entries in certificate matching.

    enable

    Allow multiple CN entries in certificate matching.

    strict-ocsp-check

    Enable/disable strict mode OCSP checking.

    option

    -

    disable

    Option

    Description

    enable

    Enable strict mode OCSP checking.

    disable

    Disable strict mode OCSP checking.

    ssl-min-proto-version

    Minimum supported protocol version for SSL/TLS connections .

    option

    -

    default

    Option

    Description

    default

    Follow system global setting.

    SSLv3

    SSLv3.

    TLSv1

    TLSv1.

    TLSv1-1

    TLSv1.1.

    TLSv1-2

    TLSv1.2.

    cmp-save-extra-certs

    Enable/disable saving extra certificates in CMP mode .

    option

    -

    disable

    Option

    Description

    enable

    Enable saving extra certificates in CMP mode.

    disable

    Disable saving extra certificates in CMP mode.

    cmp-key-usage-checking

    Enable/disable server certificate key usage checking in CMP mode .

    option

    -

    enable

    Option

    Description

    enable

    Enable server certificate key usage checking in CMP mode.

    disable

    Disable server certificate key usage checking in CMP mode.

    cert-expire-warning

    Number of days before a certificate expires to send a warning. Set to 0 to disable sending of the warning .

    integer

    Minimum value: 0 Maximum value: 100

    14

    certname-rsa1024

    1024 bit RSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_RSA1024

    certname-rsa2048

    2048 bit RSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_RSA2048

    certname-rsa4096

    4096 bit RSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_RSA4096

    certname-dsa1024

    1024 bit DSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_DSA1024

    certname-dsa2048

    2048 bit DSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_DSA2048

    certname-ecdsa256

    256 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_ECDSA256

    certname-ecdsa384

    384 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_ECDSA384

    certname-ecdsa521

    521 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_ECDSA521

    certname-ed25519

    253 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_ED25519

    certname-ed448

    456 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_ED448

    config crl-verification

    Parameter

    Description

    Type

    Size

    Default

    expiry

    CRL verification option when CRL is expired .

    option

    -

    ignore

    Option

    Description

    ignore

    Certificate status will be verified even if CRL is expired.

    revoke

    Certificate will be revoked if CRL is expired.

    leaf-crl-absence

    CRL verification option when leaf CRL is absent .

    option

    -

    ignore

    Option

    Description

    ignore

    CRL verification against leaf certificate is ignored if CRL is absent.

    revoke

    Certificate will be revoked if CRL of leaf certificate is absent.

    chain-crl-absence

    CRL verification option when CRL of any certificate in chain is absent .

    option

    -

    ignore

    Option

    Description

    ignore

    CRL verification is ignored if CRL of any certificate in chain is absent.

    revoke

    Certificate will be revoked if CRL of any certificate in chain is absent.
    Previous
    Next

    config vpn certificate setting

    config vpn certificate setting

    VPN certificate setting.

    config vpn certificate setting

    Description: VPN certificate setting.

    set ocsp-status [enable|disable]

    set ocsp-option [certificate|server]

    set ssl-ocsp-source-ip {ipv4-address}

    set ocsp-default-server {string}

    set interface-select-method [auto|sdwan|...]

    set interface {string}

    set check-ca-cert [enable|disable]

    set check-ca-chain [enable|disable]

    set subject-match [substring|value]

    set subject-set [subset|superset]

    set cn-match [substring|value]

    set cn-allow-multi [disable|enable]

    config crl-verification

    Description: CRL verification options.

    set expiry [ignore|revoke]

    set leaf-crl-absence [ignore|revoke]

    set chain-crl-absence [ignore|revoke]

    end

    set strict-ocsp-check [enable|disable]

    set ssl-min-proto-version [default|SSLv3|...]

    set cmp-save-extra-certs [enable|disable]

    set cmp-key-usage-checking [enable|disable]

    set cert-expire-warning {integer}

    set certname-rsa1024 {string}

    set certname-rsa2048 {string}

    set certname-rsa4096 {string}

    set certname-dsa1024 {string}

    set certname-dsa2048 {string}

    set certname-ecdsa256 {string}

    set certname-ecdsa384 {string}

    set certname-ecdsa521 {string}

    set certname-ed25519 {string}

    set certname-ed448 {string}

    end

    config vpn certificate setting

    Parameter

    Description

    Type

    Size

    Default

    ocsp-status

    Enable/disable receiving certificates using the OCSP.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    ocsp-option

    Specify whether the OCSP URL is from certificate or configured OCSP server.

    option

    -

    server

    Option

    Description

    certificate

    Use URL from certificate.

    server

    Use URL from configured OCSP server.

    ssl-ocsp-source-ip

    Source IP address to use to communicate with the OCSP server.

    ipv4-address

    Not Specified

    0.0.0.0

    ocsp-default-server

    Default OCSP server.

    string

    Not Specified

    interface-select-method

    Specify how to select outgoing interface to reach server.

    option

    -

    auto

    Option

    Description

    auto

    Set outgoing interface automatically.

    sdwan

    Set outgoing interface by SD-WAN or policy routing rules.

    specify

    Set outgoing interface manually.

    interface

    Specify outgoing interface to reach server.

    string

    Not Specified

    check-ca-cert

    Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted .

    option

    -

    enable

    Option

    Description

    enable

    Enable verification of the user certificate.

    disable

    Disable verification of the user certificate.

    check-ca-chain

    Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted .

    option

    -

    disable

    Option

    Description

    enable

    Enable verification of the entire certificate chain.

    disable

    Disable verification of the entire certificate chain.

    subject-match

    When searching for a matching certificate, control how to do RDN value matching with certificate subject name .

    option

    -

    substring

    Option

    Description

    substring

    Find a match if the name being searched for is a part or the same as a certificate subject RDN.

    value

    Find a match if the name being searched for is same as a certificate subject RDN.

    subject-set

    When searching for a matching certificate, control how to do RDN set matching with certificate subject name .

    option

    -

    subset

    Option

    Description

    subset

    Find a match if the name being searched for is a subset of a certificate subject.

    superset

    Find a match if the name being searched for is a superset of a certificate subject.

    cn-match

    When searching for a matching certificate, control how to do CN value matching with certificate subject name .

    option

    -

    substring

    Option

    Description

    substring

    Find a match if the name being searched for is a part or the same as a certificate CN.

    value

    Find a match if the name being searched for is same as a certificate CN.

    cn-allow-multi

    When searching for a matching certificate, allow multiple CN fields in certificate subject name .

    option

    -

    enable

    Option

    Description

    disable

    Does not allow multiple CN entries in certificate matching.

    enable

    Allow multiple CN entries in certificate matching.

    strict-ocsp-check

    Enable/disable strict mode OCSP checking.

    option

    -

    disable

    Option

    Description

    enable

    Enable strict mode OCSP checking.

    disable

    Disable strict mode OCSP checking.

    ssl-min-proto-version

    Minimum supported protocol version for SSL/TLS connections .

    option

    -

    default

    Option

    Description

    default

    Follow system global setting.

    SSLv3

    SSLv3.

    TLSv1

    TLSv1.

    TLSv1-1

    TLSv1.1.

    TLSv1-2

    TLSv1.2.

    cmp-save-extra-certs

    Enable/disable saving extra certificates in CMP mode .

    option

    -

    disable

    Option

    Description

    enable

    Enable saving extra certificates in CMP mode.

    disable

    Disable saving extra certificates in CMP mode.

    cmp-key-usage-checking

    Enable/disable server certificate key usage checking in CMP mode .

    option

    -

    enable

    Option

    Description

    enable

    Enable server certificate key usage checking in CMP mode.

    disable

    Disable server certificate key usage checking in CMP mode.

    cert-expire-warning

    Number of days before a certificate expires to send a warning. Set to 0 to disable sending of the warning .

    integer

    Minimum value: 0 Maximum value: 100

    14

    certname-rsa1024

    1024 bit RSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_RSA1024

    certname-rsa2048

    2048 bit RSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_RSA2048

    certname-rsa4096

    4096 bit RSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_RSA4096

    certname-dsa1024

    1024 bit DSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_DSA1024

    certname-dsa2048

    2048 bit DSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_DSA2048

    certname-ecdsa256

    256 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_ECDSA256

    certname-ecdsa384

    384 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_ECDSA384

    certname-ecdsa521

    521 bit ECDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_ECDSA521

    certname-ed25519

    253 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_ED25519

    certname-ed448

    456 bit EdDSA key certificate for re-signing server certificates for SSL inspection.

    string

    Not Specified

    Fortinet_SSL_ED448

    config crl-verification

    Parameter

    Description

    Type

    Size

    Default

    expiry

    CRL verification option when CRL is expired .

    option

    -

    ignore

    Option

    Description

    ignore

    Certificate status will be verified even if CRL is expired.

    revoke

    Certificate will be revoked if CRL is expired.

    leaf-crl-absence

    CRL verification option when leaf CRL is absent .

    option

    -

    ignore

    Option

    Description

    ignore

    CRL verification against leaf certificate is ignored if CRL is absent.

    revoke

    Certificate will be revoked if CRL of leaf certificate is absent.

    chain-crl-absence

    CRL verification option when CRL of any certificate in chain is absent .

    option

    -

    ignore

    Option

    Description

    ignore

    CRL verification is ignored if CRL of any certificate in chain is absent.

    revoke

    Certificate will be revoked if CRL of any certificate in chain is absent.
    Previous
    Next