You are here: Initial Setup and Basic Configuration > Replacing the Default Certificate, Key, and Cipherspec

Replacing the Default Certificate, Key, and Cipherspec

Using FortiADC's Remote Management commands in the CLI, you can replace the default certificate, key, and cipher spec that are used with HTTPS services on subnets with custom certificates, keys and cipher specs.

The process includes:

Uploading the custom certificate and key file to the file store.
Entering the certificate (and key file) to be used with HTTPS services.
Replacing the default cipherspec with the a custom cipher spec.
Setting the encryption level to use in the communications between the client and the ADC.

Uploading the Custom Certificate and Key File

Enter the following to upload a certificate and key file:

Enter the name of the new certificate and upload it as follows:

eqcli > certificate certificatename certfile URL

where URL downloads the certfile using ftp:// or http:// protocol.

Upload the new key file. The key file must have the same name as the certificate.

eqcli > certificate certificatename keyfile URL

where URL downloads the keyfile using ftp:// or http:// protocol.

Entering the Certificate and Key file to be Used with HTTPS Services

Set the certfile and keyfile to use using the CLI remote management commands. The keyfile has the same name as the certfile and will be used automatically.

eqcli remote-mgmt certificate certificatename

Now view the remote management configuration. The example that follows shows that the custom certificate has been added:

eqcli > show remote-mgmt

Options           Value

Cipherspec        AES128-SHA:DES-CBC3-SHA:RC4-SHA:RC4-MD5:AES256-SHA:!SSLv2

Certificate       custom certificate

Protocols         tls10

eqcli >

Replacing the Default Cipherspec with a Custom Cipherspec

Enter the custom cipherspec as follows:

eqcli > remote-mgmt cipherspec cipherspec

where cipherspec is the new, custom cipherspec to be used.

Setting the Encryption Levels

Configure the encryption levels that will be used in communications between the client and the ADC. The default encryption level is TLSv1.0 (tls10).

eqcli > protocol protocol

where protocol can be sslv3, tls10(default), tls11, or tls12. The protocols in the syntax can be delimited by "," or "|".

You can also turn off one of the protocols in the list by prefixing with "!". For example if you have configured all of the encryption levels to be used and want to remove tls12, enter eqcli > protocol !tls12. tls12 would then be removed from the list. The client and ADP will use the highest level available when multiple formats are specified.

Reapplying the Default Certificate, Cipherspec and Protocols

To reapply the defaults for Cipherspec, Certificate or Protocol, enter any of the following:

eqcli > no remote-mgmt {cipherspec|certificate|protocol}