Use this command to configure a remote certificate. You can enable OCSP by importing an OCSP CA or specifying an OSCP URL. If you want to use the configuration in a certificate verify configuration, you must add both an OCSP CA and URL.
OCSP enables you to validate or revoke certificates by query, rather than by importing certificate revocation list (CRL) files. Since distributing and installing CRL files can be a considerable burden in large organizations, and because delay between the release and install of the CRL represents a vulnerability window, this can often be preferable.
To use OCSP queries, you must first install the certificates of trusted OCSP/CRL servers.
Before you begin:
- You must know the URL of an OCSP server or have downloaded the certificate and key files and be able to browse to them so that you can upload them.
- You must have read-write permission for system settings.
config system certificate remote
set certificate-file cert.cer
Paste the contents of a CA file between the quotation marks (" "), as shown in the example below.
FortiADC-VM # config system certificate remote
FortiADC-VM (remote) # edit new-remote-ca
FortiADC-VM (new-remote-ca) # set certificates-file new-remote-ca.cer
FortiADC-VM (new-remote-ca) # end