execute : vpn certificate ca
 
vpn certificate ca
Use this command to import a CA certificate from a TFTP or SCEP server to the FortiGate unit, or to export a CA certificate from the FortiGate unit to a TFTP server.
Before using this command you must obtain a CA certificate issued by a CA.
Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy, prior to an encrypted VPN tunnel being set up between the participants. The CA certificate is the certificate that the FortiGate unit uses to authenticate itself to other devices.
 
VPN peers must use digital certificates that adhere to the X.509 standard.
Digital certificates are not required for configuring FortiGate VPNs. Digital certificates are an advanced feature provided for the convenience of system administrators. This manual assumes the user has prior knowledge of how to configure digital certificates for their implementation.
Syntax
execute vpn certificate ca export tftp <certificate‑name_str> <file‑name_str> <tftp_ip>
execute vpn certificate ca import auto <ca_server_url> <ca_identifier_str>
execute vpn certificate ca import tftp <file‑name_str> <tftp_ip>
Variable
Description
import
Import the CA certificate from a TFTP server to the FortiGate unit.
export
Export or copy the CA certificate from the FortiGate unit to a file on the TFTP server. Type ? for a list of certificates.
<certificate‑name_str>
Enter the name of the CA certificate.
<file‑name_str>
Enter the file name on the TFTP server.
<tftp_ip>
Enter the TFTP server address.
auto
Retrieve a CA certificate from a SCEP server.
tftp
Import the CA certificate to the FortiGate unit from a file on a TFTP server (local administrator PC).
<ca_server_url>
Enter the URL of the CA certificate server.
<ca_identifier_str>
CA identifier on CA certificate server (optional).
Examples
Use the following command to import the CA certificate named trust_ca to the FortiGate unit from a TFTP server with the address 192.168.21.54.
execute vpn certificate ca import trust_ca 192.168.21.54