config vpn certificate setting
VPN certificate setting.
config vpn certificate setting Description: VPN certificate setting. set cert-expire-warning {integer} set certname-dsa1024 {string} set certname-dsa2048 {string} set certname-ecdsa256 {string} set certname-ecdsa384 {string} set certname-ecdsa521 {string} set certname-ed25519 {string} set certname-ed448 {string} set certname-rsa1024 {string} set certname-rsa2048 {string} set certname-rsa4096 {string} set check-ca-cert [enable|disable] set check-ca-chain [enable|disable] set cmp-key-usage-checking [enable|disable] set cmp-save-extra-certs [enable|disable] set cn-allow-multi [disable|enable] set cn-match [substring|value] config crl-verification Description: CRL verification options. set chain-crl-absence [ignore|revoke] set expiry [ignore|revoke] set leaf-crl-absence [ignore|revoke] end set interface {string} set interface-select-method [auto|sdwan|...] set ocsp-default-server {string} set ocsp-option [certificate|server] set ocsp-status [enable|mandatory|...] set proxy {string} set proxy-password {password} set proxy-port {integer} set proxy-username {string} set source-ip {string} set ssl-min-proto-version [default|SSLv3|...] set strict-ocsp-check [enable|disable] set subject-match [substring|value] set subject-set [subset|superset] end
config vpn certificate setting
Parameter |
Description |
Type |
Size |
Default |
||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
cert-expire-warning |
Number of days before a certificate expires to send a warning. Set to 0 to disable sending of the warning. |
integer |
Minimum value: 0 Maximum value: 100 |
14 |
||||||||||||||
certname-dsa1024 |
1024 bit DSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_DSA1024 |
||||||||||||||
certname-dsa2048 |
2048 bit DSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_DSA2048 |
||||||||||||||
certname-ecdsa256 |
256 bit ECDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ECDSA256 |
||||||||||||||
certname-ecdsa384 |
384 bit ECDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ECDSA384 |
||||||||||||||
certname-ecdsa521 |
521 bit ECDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ECDSA521 |
||||||||||||||
certname-ed25519 |
253 bit EdDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ED25519 |
||||||||||||||
certname-ed448 |
456 bit EdDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ED448 |
||||||||||||||
certname-rsa1024 |
1024 bit RSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_RSA1024 |
||||||||||||||
certname-rsa2048 |
2048 bit RSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_RSA2048 |
||||||||||||||
certname-rsa4096 |
4096 bit RSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_RSA4096 |
||||||||||||||
check-ca-cert |
Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted. |
option |
- |
enable |
||||||||||||||
|
|
|||||||||||||||||
check-ca-chain |
Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted. |
option |
- |
disable |
||||||||||||||
|
|
|||||||||||||||||
cmp-key-usage-checking |
Enable/disable server certificate key usage checking in CMP mode. |
option |
- |
enable |
||||||||||||||
|
|
|||||||||||||||||
cmp-save-extra-certs |
Enable/disable saving extra certificates in CMP mode. |
option |
- |
disable |
||||||||||||||
|
|
|||||||||||||||||
cn-allow-multi |
When searching for a matching certificate, allow multiple CN fields in certificate subject name. |
option |
- |
enable |
||||||||||||||
|
|
|||||||||||||||||
cn-match |
When searching for a matching certificate, control how to do CN value matching with certificate subject name. |
option |
- |
substring |
||||||||||||||
|
|
|||||||||||||||||
interface |
Specify outgoing interface to reach server. |
string |
Maximum length: 15 |
|
||||||||||||||
interface-select-method |
Specify how to select outgoing interface to reach server. |
option |
- |
auto |
||||||||||||||
|
|
|||||||||||||||||
ocsp-default-server |
Default OCSP server. |
string |
Maximum length: 35 |
|
||||||||||||||
ocsp-option |
Specify whether the OCSP URL is from certificate or configured OCSP server. |
option |
- |
server |
||||||||||||||
|
|
|||||||||||||||||
ocsp-status |
Enable/disable receiving certificates using the OCSP. |
option |
- |
disable |
||||||||||||||
|
|
|||||||||||||||||
proxy |
Proxy server FQDN or IP for OCSP/CA queries during certificate verification. |
string |
Maximum length: 127 |
|
||||||||||||||
proxy-password |
Proxy server password. |
password |
Not Specified |
|
||||||||||||||
proxy-port |
Proxy server port. |
integer |
Minimum value: 1 Maximum value: 65535 |
8080 |
||||||||||||||
proxy-username |
Proxy server user name. |
string |
Maximum length: 63 |
|
||||||||||||||
source-ip |
Source IP address for dynamic AIA and OCSP queries. |
string |
Maximum length: 63 |
|
||||||||||||||
ssl-min-proto-version |
Minimum supported protocol version for SSL/TLS connections. |
option |
- |
default |
||||||||||||||
|
|
|||||||||||||||||
strict-ocsp-check |
Enable/disable strict mode OCSP checking. |
option |
- |
disable |
||||||||||||||
|
|
|||||||||||||||||
subject-match |
When searching for a matching certificate, control how to do RDN value matching with certificate subject name. |
option |
- |
substring |
||||||||||||||
|
|
|||||||||||||||||
subject-set |
When searching for a matching certificate, control how to do RDN set matching with certificate subject name. |
option |
- |
subset |
||||||||||||||
|
|
config crl-verification
Parameter |
Description |
Type |
Size |
Default |
||||||
---|---|---|---|---|---|---|---|---|---|---|
chain-crl-absence |
CRL verification option when CRL of any certificate in chain is absent. |
option |
- |
ignore |
||||||
|
|
|||||||||
expiry |
CRL verification option when CRL is expired. |
option |
- |
ignore |
||||||
|
|
|||||||||
leaf-crl-absence |
CRL verification option when leaf CRL is absent. |
option |
- |
ignore |
||||||
|
|