Fortinet black logo

CLI Reference

certificate

certificate

Use these commands to manage certificates.

certificate ca

Use these commands to list, import, or export CA certificates.

Syntax

To list the CA certificates installed on the FortiAnalyzer unit:

execute certificate ca list

To export or import CA certificates:

execute certificate ca {<export>|<import>} <cert_name> <tftp_ip>

Variable

Description

list

Generate a list of CA certificates on the FortiAnalyzer system.

<export>

Export CA certificate to TFTP server.

<import>

Import CA certificate from a TFTP server.

<cert_name>

Name of the certificate.

<tftp_ip>

IP address of the TFTP server.

certificate local

Use these commands to list, import, or export local certificates, and to generate a certificate request

Syntax

execute certificate local export <cert_name> <tftp_ip>

execute certificate local import <cert_name> <tftp_ip>

execute certificate local import-pkcs12 {ftp | scp | sftp} <ip:port> <filename> <username> <password> <password> <name>

execute certificate local generate <certificate-name-string> <subject> <number> [<optional_information>]

execute certificate local list

Variable

Description

export <cert_name> <tftp_ip>

Export a certificate or request to a TFTP server.

  • cert_name - Name of the certificate.
  • tftp_ip - IP address of the TFTP server.

import <cert_name> <tftp_ip>

Import a signed certificate from a TFTP server.

import-pkcs12 {ftp | scp | sftp} <ip:port> <filename> <username> <password> <password> <name>

Import a certificate and private key from a PKCS#12 file.

  • ftp, scp, sftp - The type of server the file will be imported from.
  • ip:port - The server IP address and, optional, the port number.
  • filename - The path and file name on the server.
  • username - The user name on the server.
  • password - The user password.
  • password - The file password.
  • name - The certificate name.

generate <certificate-name_str> <number> <subject> [<optional_information>]

Generate a certificate request.

  • certificate-name-string - Enter a name for the certificate. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
  • number - The size, in bits, of the encryption key, 512, 1024, 1536, or 2048.
  • subject - Enter one of the following pieces of information to identify the FortiAnalyzer unit being certified:
    • The FortiAnalyzer unit IP address
    • The fully qualified domain name of the FortiAnalyzer unit
    • An email address that identifies the FortiAnalyzer unit
    • An IP address or domain name is preferable to an email address.
  • optional_information - Enter optional_information as required to further identify the unit. See Optional information variables for more information.

list

Generate a list of CA certificates and requests that are on the FortiAnalyzer system.

Optional information variables

You must enter the optional variables in the order that they are listed in the table. To enter any optional variable you must enter all of the variables that come before it in the list.

For example, to enter the organization_name_str, you must first enter the country_code_str, state_name_str, and city_name_str.

While entering optional variables, you can type ? for help on the next required variable.

Variable

Description

<country_code_str>

Enter the two-character country code.

<state_name_str>

Enter the name of the state or province where the FortiAnalyzer unit is located.

<city_name_str>

Enter the name of the city, or town, where the person or organization certifying the FortiAnalyzer unit resides.

<organization-name_str>

Enter the name of the organization that is requesting the certificate for the FortiAnalyzer unit.

<organization-unit_name_str>

Enter a name that identifies the department or unit within the organization that is requesting the certificate for the FortiAnalyzer unit.

<email_address_str>

Enter a contact email address for the FortiAnalyzer unit.

certificate remote

Use these commands to list, import, or export remote certificates.

Syntax

To list the remote certificates installed on the FortiAnalyzer unit:

execute certificate remote list

To export or import remote certificates:

execute certificate remote {<export>|<import>} <cert_name> <tftp_ip>

Variable

Description

list

Generate a list of remote certificates on the FortiAnalyzer system.

<export>

Export the certificate to TFTP server.

<import>

Import the certificate from a TFTP server.

<cert_name>

Name of the certificate.

<tftp_ip>

IP address of the TFTP server.

certificate

Use these commands to manage certificates.

certificate ca

Use these commands to list, import, or export CA certificates.

Syntax

To list the CA certificates installed on the FortiAnalyzer unit:

execute certificate ca list

To export or import CA certificates:

execute certificate ca {<export>|<import>} <cert_name> <tftp_ip>

Variable

Description

list

Generate a list of CA certificates on the FortiAnalyzer system.

<export>

Export CA certificate to TFTP server.

<import>

Import CA certificate from a TFTP server.

<cert_name>

Name of the certificate.

<tftp_ip>

IP address of the TFTP server.

certificate local

Use these commands to list, import, or export local certificates, and to generate a certificate request

Syntax

execute certificate local export <cert_name> <tftp_ip>

execute certificate local import <cert_name> <tftp_ip>

execute certificate local import-pkcs12 {ftp | scp | sftp} <ip:port> <filename> <username> <password> <password> <name>

execute certificate local generate <certificate-name-string> <subject> <number> [<optional_information>]

execute certificate local list

Variable

Description

export <cert_name> <tftp_ip>

Export a certificate or request to a TFTP server.

  • cert_name - Name of the certificate.
  • tftp_ip - IP address of the TFTP server.

import <cert_name> <tftp_ip>

Import a signed certificate from a TFTP server.

import-pkcs12 {ftp | scp | sftp} <ip:port> <filename> <username> <password> <password> <name>

Import a certificate and private key from a PKCS#12 file.

  • ftp, scp, sftp - The type of server the file will be imported from.
  • ip:port - The server IP address and, optional, the port number.
  • filename - The path and file name on the server.
  • username - The user name on the server.
  • password - The user password.
  • password - The file password.
  • name - The certificate name.

generate <certificate-name_str> <number> <subject> [<optional_information>]

Generate a certificate request.

  • certificate-name-string - Enter a name for the certificate. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
  • number - The size, in bits, of the encryption key, 512, 1024, 1536, or 2048.
  • subject - Enter one of the following pieces of information to identify the FortiAnalyzer unit being certified:
    • The FortiAnalyzer unit IP address
    • The fully qualified domain name of the FortiAnalyzer unit
    • An email address that identifies the FortiAnalyzer unit
    • An IP address or domain name is preferable to an email address.
  • optional_information - Enter optional_information as required to further identify the unit. See Optional information variables for more information.

list

Generate a list of CA certificates and requests that are on the FortiAnalyzer system.

Optional information variables

You must enter the optional variables in the order that they are listed in the table. To enter any optional variable you must enter all of the variables that come before it in the list.

For example, to enter the organization_name_str, you must first enter the country_code_str, state_name_str, and city_name_str.

While entering optional variables, you can type ? for help on the next required variable.

Variable

Description

<country_code_str>

Enter the two-character country code.

<state_name_str>

Enter the name of the state or province where the FortiAnalyzer unit is located.

<city_name_str>

Enter the name of the city, or town, where the person or organization certifying the FortiAnalyzer unit resides.

<organization-name_str>

Enter the name of the organization that is requesting the certificate for the FortiAnalyzer unit.

<organization-unit_name_str>

Enter a name that identifies the department or unit within the organization that is requesting the certificate for the FortiAnalyzer unit.

<email_address_str>

Enter a contact email address for the FortiAnalyzer unit.

certificate remote

Use these commands to list, import, or export remote certificates.

Syntax

To list the remote certificates installed on the FortiAnalyzer unit:

execute certificate remote list

To export or import remote certificates:

execute certificate remote {<export>|<import>} <cert_name> <tftp_ip>

Variable

Description

list

Generate a list of remote certificates on the FortiAnalyzer system.

<export>

Export the certificate to TFTP server.

<import>

Import the certificate from a TFTP server.

<cert_name>

Name of the certificate.

<tftp_ip>

IP address of the TFTP server.