Fortinet black logo

CLI Reference

config system certificate local

config system certificate local

In order for FortiADC to authenticate client certificates, you can either generate a certificate signing request or upload trusted CA certificates to FortiADC. This configuration is automatically created after you have successfully imported an automated local certificate or have generated/regenerated a certificate signing request (CSR) file. As the records are automatically generated, editing is not recommended.

The information recorded in config system certificate local differs depending on the method used to authenticate the client certificate.

For the command to generate/regenerate a CSR file, see execute certificate local. For the command to import an automated local certificate, see execute certificate local import automated.

Record from generating/regenerating a certificate signing request

This configuration is automatically created after you have successfully generated/regenerated a CSR file.

Syntax

config system certificate local

edit <name>

set certificate-file <certificate-filename>

set comments <string>

set csr <csr>

set password <passwd>

set private-key-file <key-filename>

next

end

certificate

Modify "contents" in certificate and private-key to "file".

comments

Optional administrator note.

csr

Paste the contents of a CSR file between quotation marks as shown in the example.

password

Password that was used to encrypt the file. The FortiADC system uses the password to decrypt and install the certificate.

private-key

Paste the contents of a key file between quotation marks as shown in the example.

Example

FortiADC-VM # config system certificate local

FortiADC-VM (local) # edit "csr"

FortiADC-VM (csr) # set private-key-file csr.key

FortiADC-VM (csr) # set csr-file csr.csr

FortiADC-VM (csr) # end

FortiADC-VM # config system certificate local

FortiADC-VM (local) # edit "new-local"

FortiADC-VM (new-local) # set private-key-file new-local.key

FortiADC-VM (new-local) # set certificate-file new-local.cer

FortiADC-VM (new-local) # end

Record from importing an automated local certificate

This configuration is automatically created after you have successfully imported an automated local certificate.

Syntax

config system certificate local

edit <name>

set acme_status <not_set|pending|ok|failed>

set acme-domain <domain_name>

set acme-server-url <URL>

set acme-email <Email>

set acme-key-type <RSA-2048|RSA-3072|RSA-4096|ECDSA-P256|ECDSA-P384|ECDSA-P521>

set acme-renew-win <Integer>

set acme-server-timeout <Integer>

set acme-ca-group <CA Group>

set private-key-file <key-filename>

set certificate-file <certificate-filename>

next

end

acme_status

The status of the ACME certificate:

  • not_set

  • pending

  • ok

  • failed

The default status is not_set.

acme-domain

The web server domain to be protected by the certificate.

acme-server-url

The ACME server URL.

acme-email

The email address to be used by ACME for renewal fail notices.

acme-key-type

The certificate type based on the key type:

  • RSA-2048

  • RSA-3072

  • RSA-4096

  • ECDSA-P256

  • ECDSA-P384

  • ECDSA-P521

acme-renew-win

The time (in minutes) to renew the certificate before it is expired.

acme-server-timeout

The ACME server connection timeout (in seconds).

acme-ca-group

The CA certificate group to verify the API server's certificate.

Example

config system certificate local

edit "acme_cert"

set acme_status ok

set acme-domain test01

set acme-server-url https://10.3.0.204:14000/dir

set acme-email test@example.com

set acme-key-type RSA-2048

set acme-renew-win 1

set private-key-file test1-TLS-RSA-2048.key

set certificate-file test1-TLS-RSA-2048.cer

next

end

config system certificate local

In order for FortiADC to authenticate client certificates, you can either generate a certificate signing request or upload trusted CA certificates to FortiADC. This configuration is automatically created after you have successfully imported an automated local certificate or have generated/regenerated a certificate signing request (CSR) file. As the records are automatically generated, editing is not recommended.

The information recorded in config system certificate local differs depending on the method used to authenticate the client certificate.

For the command to generate/regenerate a CSR file, see execute certificate local. For the command to import an automated local certificate, see execute certificate local import automated.

Record from generating/regenerating a certificate signing request

This configuration is automatically created after you have successfully generated/regenerated a CSR file.

Syntax

config system certificate local

edit <name>

set certificate-file <certificate-filename>

set comments <string>

set csr <csr>

set password <passwd>

set private-key-file <key-filename>

next

end

certificate

Modify "contents" in certificate and private-key to "file".

comments

Optional administrator note.

csr

Paste the contents of a CSR file between quotation marks as shown in the example.

password

Password that was used to encrypt the file. The FortiADC system uses the password to decrypt and install the certificate.

private-key

Paste the contents of a key file between quotation marks as shown in the example.

Example

FortiADC-VM # config system certificate local

FortiADC-VM (local) # edit "csr"

FortiADC-VM (csr) # set private-key-file csr.key

FortiADC-VM (csr) # set csr-file csr.csr

FortiADC-VM (csr) # end

FortiADC-VM # config system certificate local

FortiADC-VM (local) # edit "new-local"

FortiADC-VM (new-local) # set private-key-file new-local.key

FortiADC-VM (new-local) # set certificate-file new-local.cer

FortiADC-VM (new-local) # end

Record from importing an automated local certificate

This configuration is automatically created after you have successfully imported an automated local certificate.

Syntax

config system certificate local

edit <name>

set acme_status <not_set|pending|ok|failed>

set acme-domain <domain_name>

set acme-server-url <URL>

set acme-email <Email>

set acme-key-type <RSA-2048|RSA-3072|RSA-4096|ECDSA-P256|ECDSA-P384|ECDSA-P521>

set acme-renew-win <Integer>

set acme-server-timeout <Integer>

set acme-ca-group <CA Group>

set private-key-file <key-filename>

set certificate-file <certificate-filename>

next

end

acme_status

The status of the ACME certificate:

  • not_set

  • pending

  • ok

  • failed

The default status is not_set.

acme-domain

The web server domain to be protected by the certificate.

acme-server-url

The ACME server URL.

acme-email

The email address to be used by ACME for renewal fail notices.

acme-key-type

The certificate type based on the key type:

  • RSA-2048

  • RSA-3072

  • RSA-4096

  • ECDSA-P256

  • ECDSA-P384

  • ECDSA-P521

acme-renew-win

The time (in minutes) to renew the certificate before it is expired.

acme-server-timeout

The ACME server connection timeout (in seconds).

acme-ca-group

The CA certificate group to verify the API server's certificate.

Example

config system certificate local

edit "acme_cert"

set acme_status ok

set acme-domain test01

set acme-server-url https://10.3.0.204:14000/dir

set acme-email test@example.com

set acme-key-type RSA-2048

set acme-renew-win 1

set private-key-file test1-TLS-RSA-2048.key

set certificate-file test1-TLS-RSA-2048.cer

next

end