vpn : certificate ca
 
certificate ca
Use this command to install Certificate Authority (CA) root certificates.
When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the signed local certificate and the Certificate Revocation List (CRL).
The process for obtaining and installing certificates is as follows:
1. Use the execute vpn certificate local command to generate a CSR.
2. Send the CSR to a CA.
The CA sends you the CA certificate, the signed local certificate and the CRL.
3. Use the vpn certificate local command to install the signed local certificate.
4. Use the vpn certificate ca command to install the CA certificate.
5. Use the vpn certificate crl command to install the CRL.
Depending on your terminal software, you can copy the certificate and paste it into the command.
The CA certificate can update automatically from a Simple Certificate Enrollment Protocol (SCEP) server.
Syntax
config vpn certificate ca
edit <ca_name>
set ca <cert>
set auto-update-days <days_int>
set auto-update-days-warning <days_int>
set scep-url <URL_str>
set source-ip <ip4_addr>
end
To view all of the information about the certificate, use the get command:
get vpn certificate ca <ca_name>
 
Variable
Description
Default
edit <ca_name>
Enter a name for the CA certificate.
No default.
ca <cert>
Enter or retrieve the CA certificate in PEM format.
No default.
Fields relevant to SCEP auto-update
 
auto-update-days <days_int>
Enter how many days before expiry the FortiGate unit requests an updated CA certificate. Enter 0 for no auto-update.
0
auto-update-days-warning <days_int>
Enter how many days before CA certificate expiry the FortiGate generates a warning message. Enter 0 for no warning.
0
scep-url <URL_str>
Enter the URL of the SCEP server.
No default.
source-ip <ip4_addr>
Enter an address to verify request is send from expected IP. sourceā€‘ip can be set after local Certificate is generated.
No default.