Uploading a certificate using the CLI
Generate certificate signing request
The generated CSR must be signed by a CA then loaded to the FortiGate. See Generate certificate signing request for more details.
To generate a CSR:
# execute vpn certificate local generate cmp <certificate_name> <key_size> <server> <path> <server_certificate> <auth_certificate> <user> <password> <subject> [SANs] [ip]
# execute vpn certificate local generate default-ssl-ca
# execute vpn certificate local generate default-ssl-key-certs
# execute vpn certificate local generate default-ssl-serv-key
# execute vpn certificate local generate ec <certificate_name> <curve_name> <subject> <country> <state/province> <city> <organization> <OU> <email> [SANs] [options]
# execute vpn certificate local generate rsa <certificate_name> <key_size> <subject> <country> <state/province> <city> <organization> <OU> <email> [SANs] [options]
cmp |
Generate a certificate request over CMPv2. |
default-ssl-ca |
Generate the default CA certificate used by SSL Inspection. |
default-ssl-ca-untrusted |
Generate the default untrusted CA certificate used by SSL Inspection. |
default-ssl-key-certs |
Generate the default RSA, DSA and ECDSA key certs for ssl resign. |
default-ssl-serv-key |
Generate the default server key used by SSL Inspection. |
ec |
Generate an elliptic curve certificate request. |
rsa |
Generate a RSA certificate request. |
Import
Any certificate uploaded to a VDOM is only accessible to that VDOM. Any certificate uploaded to the Global VDOM is globally accessible by all VDOMs.
A signed certificate that is created using a CSR that was generated by the FortiGate does not include a private key, and can be imported to the FortiGate from a TFTP file server.
To import a certificate that does not require a private key:
# execute vpn certificate local import tftp <file_name> <server_address> <cert_type> [password]
To import a certificate that requires a private key to a VDOM, or when VDOMs are disabled:
config vpn certificate {local | ca | remote | ocsp-server | crl}
Refer to the FortiOS CLI Reference for detailed options for each certificate type (local, CA, remote, OSCP server, CRL).
To import a global certificate that requires a private key when VDOMs are enabled:
config certificate {local | ca | remote | crl}
This command is only available when VDOMs are enabled. For details, see the FortiOS CLI Reference.