Using FortiADC's Remote Management commands in the CLI, you can replace the default certificate, key, and cipher spec that are used with HTTPS services on subnets with custom certificates, keys and cipher specs.
The process includes:
Uploading the Custom Certificate and Key File
Enter the following to upload a certificate and key file:
eqcli > certificate certificatename certfile URL |
where URL downloads the certfile using ftp:// or http:// protocol.
eqcli > certificate certificatename keyfile URL |
where URL downloads the keyfile using ftp:// or http:// protocol.
Entering the Certificate and Key file to be Used with HTTPS Services
eqcli remote-mgmt certificate certificatename |
eqcli > show remote-mgmt Options Value Cipherspec AES128-SHA:DES-CBC3-SHA:RC4-SHA:RC4-MD5:AES256-SHA:!SSLv2 Certificate custom certificate Protocols tls10 eqcli > |
Replacing the Default Cipherspec with a Custom Cipherspec
eqcli > remote-mgmt cipherspec cipherspec |
where cipherspec is the new, custom cipherspec to be used.
Setting the Encryption Levels
eqcli > protocol protocol |
where protocol can be sslv3, tls10(default), tls11, or tls12. The protocols in the syntax can be delimited by "," or "|".
You can also turn off one of the protocols in the list by prefixing with "!". For example if you have configured all of the encryption levels to be used and want to remove tls12, enter eqcli > protocol !tls12. tls12 would then be removed from the list. The client and ADP will use the highest level available when multiple formats are specified.
Reapplying the Default Certificate, Cipherspec and Protocols
To reapply the defaults for Cipherspec, Certificate or Protocol, enter any of the following:
eqcli > no remote-mgmt {cipherspec|certificate|protocol} |