Open topic with navigation
Certificate Commands
Each SSL certificate installed on FortiADC has a CLI context that provides commands for managing the certificate and its associated private key. Certificates, private keys, and CRLs (see the following section) are used by FortiADC to provide SSL offloading for HTTPS clusters.
In SSL offloading, FortiADC terminates the SSL connection with the client, decrypts the client request using a certificate and key, sends the request on to the appropriate server, and encrypts the server response before forwarding it on to the client.
Certificates are uploaded to FortiADC and then associated with one or more clusters. Two types of certificates may be used to authenticate HTTPS cluster connections:
- A cluster certificate is required to authenticate the cluster to the client and to decrypt the client request (these are also called server certificates). For cluster certificates, both a certificate file and a private key file must be uploaded to FortiADC.
- A cluster may also be configured to ask for, or require, a client certificate -- a certificate used to authenticate the client to FortiADC. For client certificates, only a certificate file is uploaded to FortiADC(no keyfile is used).
Supported certificate commands are shown in the following tables.
eqcli > certificate certname [cmd ...] |
: |
Create certname (req_cmds = * commands below) |
eqcli > certificate certname cmd ... |
: |
Modify certname (cmd = any commands below) |
eqcli > no certificate certname |
: |
Delete certname |
eqcli > show certificate [certname] |
: |
Display all certificates or certname |
eqcli > certificate certname |
: |
Change to "cert-certname" context (see below) |
eqcli cert-certname> certfile {edit|url} |
: |
Upload SSL certificate |
eqcli cert-certname> keyfile {edit|url} |
: |
Upload private key |
eqcli cert-certname> show |
: |
Display the certificate configuration. |
The arguments to the certfile and keyfile commands are:
edit - Launch an editor to supply the content of the certificate or key file.
url - Download the certificate or key file from the ftp:// or http:// protocol URL supplied on the command line.