vpn : certificate local
 
certificate local
Use this command to install local certificates.
When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the signed local certificate and the Certificate Revocation List (CRL).
The process for obtaining and installing certificates is as follows:
1. Use the execute vpn certificate local command to generate a CSR.
2. Send the CSR to a CA.
The CA sends you the CA certificate, the signed local certificate and the CRL.
3. Use the vpn certificate local command to install the signed local certificate.
4. Use the vpn certificate ca command to install the CA certificate.
5. Use the vpn certificate crl command to install the CRL.
Depending on your terminal software, you can copy the certificate and paste it into the command.
The local certificate can update automatically from a Simple Certificate Enrollment Protocol (SCEP) server.
Syntax
config vpn certificate local
edit <cert_name>
set password <pwd>
set comments <comment_text>
set ike-localid <local_id>
set ike-localid-type {auto | fqdn | user‑fqdn | keyid | address | asn1dn}
set private-key <prkey>
set source-ip <ip4_addr>
set certificate <cert_PEM>
set csr <csr_PEM>
set scep-url <URL_str>
set scep-password <password_str>
set auto-regenerate-days <days_int>
set auto-regenerate-days-warning <days_int>
end
To view all of the information about the certificate, use the get command:
get vpn certificate local [cert_name]
 
Variable
Description
Default
edit <cert_name>
Enter the local certificate name.
No default.
certificate <cert_PEM>
Enter the signed local certificate in PEM format.
No default.
comments <comment_text>
Enter any relevant information about the certificate.
No default.
ike-localid <local_id>
Enter a local ID if the FortiGate unit is functioning as a VPN client and will use the local ID for authentication purposes.
If you want to dedicate a tunnel to a FortiGate dialup client, you must assign a unique identifier (local ID) to the FortiGate client.
Whenever you configure a unique identifier (local ID) on a FortiGate dialup client, you must enable aggressive mode on the FortiGate dialup server and also specify the identifier as a peer ID on the FortiGate dialup server.
Null
ike-localid-type {auto | fqdn | user‑fqdn | keyid | address | asn1dn}
Select the type of localid:
auto — select type automatically
fqdn — Fully Qualified Domain Name
user-fqdn — Use User Fully Qualified Domain Name
keyid — Use Key Identifier ID
address — Use IP address ID
asn1dn — Use ASN.1 Distinguished Name ID
auto
You should not modify the following variables if you generated the CSR on this unit.
csr <csr_PEM>
The CSR in PEM format.
No default.
password <pwd>
The password in PEM format.
No default.
private-key <prkey>
The private key in PEM format.
No default.
source-ip <ip4_addr>
Enter an address to verify request is send from expected IP. source‑ip can be set after local Certificate is generated.
No default.
Fields relevant to SCEP auto-update
 
scep-url <URL_str>
Enter the URL of the SCEP server.
No default.
scep-password <password_str>
Enter the password for the SCEP server.
No default.
auto-regenerate-days <days_int>
Enter how many days before expiry the FortiGate unit requests an updated local certificate. Enter 0 for no auto-update.
0
auto-regenerate-days-warning <days_int>
Enter how many days before local certificate expiry the FortiGate generates a warning message. Enter 0 for no warning.
0