Fortinet black logo

CLI Reference

config system certificate remote

config system certificate remote

Use this command to configure a remote certificate. You can enable OCSP by importing an OCSP CA or specifying an OSCP URL. If you want to use the configuration in a certificate verify configuration, you must add both an OCSP CA and URL.

OCSP enables you to validate or revoke certificates by query, rather than by importing certificate revocation list (CRL) files. Since distributing and installing CRL files can be a considerable burden in large organizations, and because delay between the release and install of the CRL represents a vulnerability window, this can often be preferable.

To use OCSP queries, you must first install the certificates of trusted OCSP/CRL servers.

Before you begin:

  • You must know the URL of an OCSP server or have downloaded the certificate and key files and be able to browse to them so that you can upload them.
  • You must have read-write permission for system settings.

Syntax

config system certificate remote

edit "cert"

set certificate-file cert.cer

next

end

cert

Paste the contents of a CA file between the quotation marks (" "), as shown in the example below.

Example

FortiADC-VM # config system certificate remote

FortiADC-VM (remote) # edit new-remote-ca

FortiADC-VM (new-remote-ca) # set certificates-file new-remote-ca.cer

FortiADC-VM (new-remote-ca) # end

See also

config system certificate remote

Use this command to configure a remote certificate. You can enable OCSP by importing an OCSP CA or specifying an OSCP URL. If you want to use the configuration in a certificate verify configuration, you must add both an OCSP CA and URL.

OCSP enables you to validate or revoke certificates by query, rather than by importing certificate revocation list (CRL) files. Since distributing and installing CRL files can be a considerable burden in large organizations, and because delay between the release and install of the CRL represents a vulnerability window, this can often be preferable.

To use OCSP queries, you must first install the certificates of trusted OCSP/CRL servers.

Before you begin:

  • You must know the URL of an OCSP server or have downloaded the certificate and key files and be able to browse to them so that you can upload them.
  • You must have read-write permission for system settings.

Syntax

config system certificate remote

edit "cert"

set certificate-file cert.cer

next

end

cert

Paste the contents of a CA file between the quotation marks (" "), as shown in the example below.

Example

FortiADC-VM # config system certificate remote

FortiADC-VM (remote) # edit new-remote-ca

FortiADC-VM (new-remote-ca) # set certificates-file new-remote-ca.cer

FortiADC-VM (new-remote-ca) # end

See also