Fortinet white logo
Fortinet white logo

Cookbook

Uploading a certificate using the CLI

Uploading a certificate using the CLI

Generate certificate signing request

The generated CSR must be signed by a CA then loaded to the FortiGate. See Generate certificate signing request for more details.

To generate a CSR:
# execute vpn certificate local generate cmp <certificate_name> <key_size> <server> <path> <server_certificate> <auth_certificate> <user> <password> <subject> [SANs] [ip]
# execute vpn certificate local generate default-ssl-ca
# execute vpn certificate local generate default-ssl-key-certs  
# execute vpn certificate local generate default-ssl-serv-key
# execute vpn certificate local generate ec <certificate_name> <curve_name> <subject> <country> <state/province> <city> <organization> <OU> <email> [SANs] [options]
# execute vpn certificate local generate rsa <certificate_name> <key_size> <subject> <country> <state/province> <city> <organization> <OU> <email> [SANs] [options]

cmp

Generate a certificate request over CMPv2.

default-ssl-ca

Generate the default CA certificate used by SSL Inspection.

default-ssl-ca-untrusted

Generate the default untrusted CA certificate used by SSL Inspection.

default-ssl-key-certs

Generate the default RSA, DSA and ECDSA key certs for ssl resign.

default-ssl-serv-key

Generate the default server key used by SSL Inspection.

ec

Generate an elliptic curve certificate request.

rsa

Generate a RSA certificate request.

Import

Any certificate uploaded to a VDOM is only accessible to that VDOM. Any certificate uploaded to the Global VDOM is globally accessible by all VDOMs.

A signed certificate that is created using a CSR that was generated by the FortiGate does not include a private key, and can be imported to the FortiGate from a TFTP file server.

To import a certificate that does not require a private key:
# execute vpn certificate local import tftp <file_name> <server_address> <cert_type> [password]
To import a certificate that requires a private key to a VDOM, or when VDOMs are disabled:
config vpn certificate {local | ca | remote | ocsp-server | crl}

Refer to the FortiOS CLI Reference for detailed options for each certificate type (local, CA, remote, OSCP server, CRL).

To import a global certificate that requires a private key when VDOMs are enabled:
config certificate {local | ca | remote | crl}

This command is only available when VDOMs are enabled. For details, see the FortiOS CLI Reference.

Uploading a certificate using the CLI

Uploading a certificate using the CLI

Generate certificate signing request

The generated CSR must be signed by a CA then loaded to the FortiGate. See Generate certificate signing request for more details.

To generate a CSR:
# execute vpn certificate local generate cmp <certificate_name> <key_size> <server> <path> <server_certificate> <auth_certificate> <user> <password> <subject> [SANs] [ip]
# execute vpn certificate local generate default-ssl-ca
# execute vpn certificate local generate default-ssl-key-certs  
# execute vpn certificate local generate default-ssl-serv-key
# execute vpn certificate local generate ec <certificate_name> <curve_name> <subject> <country> <state/province> <city> <organization> <OU> <email> [SANs] [options]
# execute vpn certificate local generate rsa <certificate_name> <key_size> <subject> <country> <state/province> <city> <organization> <OU> <email> [SANs] [options]

cmp

Generate a certificate request over CMPv2.

default-ssl-ca

Generate the default CA certificate used by SSL Inspection.

default-ssl-ca-untrusted

Generate the default untrusted CA certificate used by SSL Inspection.

default-ssl-key-certs

Generate the default RSA, DSA and ECDSA key certs for ssl resign.

default-ssl-serv-key

Generate the default server key used by SSL Inspection.

ec

Generate an elliptic curve certificate request.

rsa

Generate a RSA certificate request.

Import

Any certificate uploaded to a VDOM is only accessible to that VDOM. Any certificate uploaded to the Global VDOM is globally accessible by all VDOMs.

A signed certificate that is created using a CSR that was generated by the FortiGate does not include a private key, and can be imported to the FortiGate from a TFTP file server.

To import a certificate that does not require a private key:
# execute vpn certificate local import tftp <file_name> <server_address> <cert_type> [password]
To import a certificate that requires a private key to a VDOM, or when VDOMs are disabled:
config vpn certificate {local | ca | remote | ocsp-server | crl}

Refer to the FortiOS CLI Reference for detailed options for each certificate type (local, CA, remote, OSCP server, CRL).

To import a global certificate that requires a private key when VDOMs are enabled:
config certificate {local | ca | remote | crl}

This command is only available when VDOMs are enabled. For details, see the FortiOS CLI Reference.