Fortinet white logo
Fortinet white logo

CLI Reference

certificate

certificate

Use the following commands to configure certificate related settings.

certificate ca

Use this command to install Certificate Authority (CA) root certificates.

When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the signed local certificate and the Certificate Revocation List (CRL).

The process for obtaining and installing certificates is as follows:
  1. Use the execute certificate local generate command to generate a CSR.
  2. Send the CSR to a CA. The CA sends you the CA certificate, the signed local certificate and the CRL.
  3. Use the system certificate local command to install the signed local certificate.
  4. Use the system certificate ca command to install the CA certificate. Depending on your terminal software, you can copy the certificate and paste it into the command.

Syntax

config system certificate ca

edit <ca_name>

set ca <certificate>

set comment <string>

end

Variable

Description

<ca_name>

Enter a name for the CA certificate (character limit = 35).

ca <certificate>

Enter or retrieve the CA certificate in PEM format.

comment <string>

Optionally, enter a descriptive comment (character limit = 127).

certificate crl

Use this command to configure CRLs.

Syntax

config system certificate crl

edit <name>

set crl <crl>

set comment <string>

set http-url <string>

set update-interval <integer>

end

Variable

Description

<name>

Enter a name for the CRL (character limit = 35).

crl <crl>

Enter or retrieve the CRL in PEM format.

comment <string>

Optionally, enter a descriptive comment for this CRL (character limit = 127).

http-url <string>

Set the HTTP server URL for CRL auto-update.

update-interval <integer>

Set the CRL auto-update interval, in minutes (minimum = 3, default = 1440).

certificate local

Use this command to install local certificates. When a CA processes your CSR, it sends you the CA certificate, the signed local certificate and the CRL.

The process for obtaining and installing certificates is as follows:
  1. Use the execute certificate local generate command to generate a CSR.
  2. Send the CSR to a CA. The CA sends you the CA certificate, the signed local certificate and the CRL.
  3. Use the system certificate local command to install the signed local certificate.
  4. Use the system certificate ca command to install the CA certificate. Depending on your terminal software, you can copy the certificate and paste it into the command.

Syntax

config system certificate local

edit <cert_name>

set password <passwd>

set comment <string>

set certificate <certificate_PEM>

set private-key <prkey>

set csr <csr_PEM>

next

end

Variable

Description

<cert_name>

Enter the local certificate name (character limit = 35).

password <passwd>

Enter the local certificate password (character limit = 67).

comment <string>

Enter any relevant information about the certificate (character limit = 127).

certificate <certificate_PEM>

Enter the signed local certificate in PEM format.

You should not modify the following variables if you generated the CSR on this unit.

private-key <prkey>

The private key in PEM format.

csr <csr_PEM>

The CSR in PEM format.

certificate oftp

Use this command to install OFTP certificates and keys.

Syntax

config system certificate oftp

set certificate <certificate>

set comment <string>

set local {Fortinet_Local | Fortinet_local2}

set mode {custom | default | local}

set password <passwd>

set private-key <key>

end

Variable

Description

certificate <certificate>

PEM format certificate.

comment <string>

OFTP certificate comment (character limit = 127).

local {Fortinet_Local | Fortinet_local2}

Choose from the two available local certificates.

mode {custom | default | local}

Mode of certificates used by OFTPD (default= default):

  • custom: Use a custom certificate.
  • default: Default mode.
  • local: Use a local certificate.

password <passwd>

Password for encrypted 'private-key', unset for non-encrypted.

private-key <key>

PEM format private key.

certificate remote

Use this command to install remote certificates

Syntax

config system certificate remote

edit <cert_name>

set cert <certificate>

set comment <string>

next

end

Variable

Description

<cert_name>

Enter the remote certificate name (character limit = 35).

cert <certificate>

The remote certificate.

comment <string>

Optionally, enter a descriptive comment (character limit = 127).

certificate ssh

Use this command to install SSH certificates and keys.

The process for obtaining and installing certificates is as follows:
  1. Use the execute certificate local generate command to generate a CSR.
  2. Send the CSR to a CA. The CA sends you the CA certificate, the signed local certificate and the CRL.
  3. Use the system certificate local command to install the signed local certificate.
  4. Use the system certificate ca command to install the CA certificate.
  5. Use the system certificate SSH command to install the SSH certificate. Depending on your terminal software, you can copy the certificate and paste it into the command.

Syntax

config system certificate ssh

edit <name>

set comment <comment_text>

set certificate <certificate>

set private-key <key>

end

Variable

Description

<name>

Enter the SSH certificate name (character limit = 63).

comment <comment_text>

Enter any relevant information about the certificate (character limit = 127).

certificate <certificate>

Enter the signed SSH certificate in PEM format.

You should not modify the following variables if you generated the CSR on this unit.

private-key <key>

The private key in PEM format.

certificate

certificate

Use the following commands to configure certificate related settings.

certificate ca

Use this command to install Certificate Authority (CA) root certificates.

When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the signed local certificate and the Certificate Revocation List (CRL).

The process for obtaining and installing certificates is as follows:
  1. Use the execute certificate local generate command to generate a CSR.
  2. Send the CSR to a CA. The CA sends you the CA certificate, the signed local certificate and the CRL.
  3. Use the system certificate local command to install the signed local certificate.
  4. Use the system certificate ca command to install the CA certificate. Depending on your terminal software, you can copy the certificate and paste it into the command.

Syntax

config system certificate ca

edit <ca_name>

set ca <certificate>

set comment <string>

end

Variable

Description

<ca_name>

Enter a name for the CA certificate (character limit = 35).

ca <certificate>

Enter or retrieve the CA certificate in PEM format.

comment <string>

Optionally, enter a descriptive comment (character limit = 127).

certificate crl

Use this command to configure CRLs.

Syntax

config system certificate crl

edit <name>

set crl <crl>

set comment <string>

set http-url <string>

set update-interval <integer>

end

Variable

Description

<name>

Enter a name for the CRL (character limit = 35).

crl <crl>

Enter or retrieve the CRL in PEM format.

comment <string>

Optionally, enter a descriptive comment for this CRL (character limit = 127).

http-url <string>

Set the HTTP server URL for CRL auto-update.

update-interval <integer>

Set the CRL auto-update interval, in minutes (minimum = 3, default = 1440).

certificate local

Use this command to install local certificates. When a CA processes your CSR, it sends you the CA certificate, the signed local certificate and the CRL.

The process for obtaining and installing certificates is as follows:
  1. Use the execute certificate local generate command to generate a CSR.
  2. Send the CSR to a CA. The CA sends you the CA certificate, the signed local certificate and the CRL.
  3. Use the system certificate local command to install the signed local certificate.
  4. Use the system certificate ca command to install the CA certificate. Depending on your terminal software, you can copy the certificate and paste it into the command.

Syntax

config system certificate local

edit <cert_name>

set password <passwd>

set comment <string>

set certificate <certificate_PEM>

set private-key <prkey>

set csr <csr_PEM>

next

end

Variable

Description

<cert_name>

Enter the local certificate name (character limit = 35).

password <passwd>

Enter the local certificate password (character limit = 67).

comment <string>

Enter any relevant information about the certificate (character limit = 127).

certificate <certificate_PEM>

Enter the signed local certificate in PEM format.

You should not modify the following variables if you generated the CSR on this unit.

private-key <prkey>

The private key in PEM format.

csr <csr_PEM>

The CSR in PEM format.

certificate oftp

Use this command to install OFTP certificates and keys.

Syntax

config system certificate oftp

set certificate <certificate>

set comment <string>

set local {Fortinet_Local | Fortinet_local2}

set mode {custom | default | local}

set password <passwd>

set private-key <key>

end

Variable

Description

certificate <certificate>

PEM format certificate.

comment <string>

OFTP certificate comment (character limit = 127).

local {Fortinet_Local | Fortinet_local2}

Choose from the two available local certificates.

mode {custom | default | local}

Mode of certificates used by OFTPD (default= default):

  • custom: Use a custom certificate.
  • default: Default mode.
  • local: Use a local certificate.

password <passwd>

Password for encrypted 'private-key', unset for non-encrypted.

private-key <key>

PEM format private key.

certificate remote

Use this command to install remote certificates

Syntax

config system certificate remote

edit <cert_name>

set cert <certificate>

set comment <string>

next

end

Variable

Description

<cert_name>

Enter the remote certificate name (character limit = 35).

cert <certificate>

The remote certificate.

comment <string>

Optionally, enter a descriptive comment (character limit = 127).

certificate ssh

Use this command to install SSH certificates and keys.

The process for obtaining and installing certificates is as follows:
  1. Use the execute certificate local generate command to generate a CSR.
  2. Send the CSR to a CA. The CA sends you the CA certificate, the signed local certificate and the CRL.
  3. Use the system certificate local command to install the signed local certificate.
  4. Use the system certificate ca command to install the CA certificate.
  5. Use the system certificate SSH command to install the SSH certificate. Depending on your terminal software, you can copy the certificate and paste it into the command.

Syntax

config system certificate ssh

edit <name>

set comment <comment_text>

set certificate <certificate>

set private-key <key>

end

Variable

Description

<name>

Enter the SSH certificate name (character limit = 63).

comment <comment_text>

Enter any relevant information about the certificate (character limit = 127).

certificate <certificate>

Enter the signed SSH certificate in PEM format.

You should not modify the following variables if you generated the CSR on this unit.

private-key <key>

The private key in PEM format.