execute : vpn certificate local generate
 
vpn certificate local generate
Use this command to generate a local certificate.
Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy, prior to an encrypted VPN tunnel being set up between the participants. The local certificate is the certificate that the FortiGate unit uses to authenticate itself to other devices.
When you generate a certificate request, you create a private and public key pair for the local FortiGate unit. The public key accompanies the certificate request. The private key remains confidential.
When you receive the signed certificate from the CA, use the vpn certificate local command to install it on the FortiGate unit.
 
VPN peers must use digital certificates that adhere to the X.509 standard.
Digital certificates are not required for configuring FortiGate VPNs. Digital certificates are an advanced feature provided for the convenience of system administrators. This manual assumes the user has prior knowledge of how to configure digital certificates for their implementation.
Syntax
To generate the default CA certificate used by SSL Inspection
execute vpn certificate local generate default-ssl-ca
To generate the default server key used by SSL Inspection
execute vpn certificate local generate default-ssl-serv-key
To generate an elliptical curve certificate request
execute vpn certificate local generate ec <certificate‑name_str> <elliptic-curve-name> <subject_str> [<optional_information>]
To generate an RSA certificate request
execute vpn certificate local generate rsa <certificate‑name_str> <key‑length> <subject_str> [<optional_information>]
Variable
Description
<certificate‑name_str>
Enter a name for the certificate. The name can contain numbers (0-9), uppercase and lowercase letters (A‑Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
<elliptic-curve-name>
Enter the elliptic curve name: secp256rl, secp384rl, or secp521rl.
<key‑length>
Enter 1024, 1536 or 2048 for the size in bits of the encryption key.
<subject_str>
Enter the FortiGate unit host IP address, its fully qualified domain name, or an email address to identify the FortiGate unit being certified.
An IP address or domain name is preferred. If this is impossible (such as with a dialup client), use an e-mail address.
 
If you specify a host IP or domain name, use the IP address or domain name associated with the interface on which IKE negotiations will take place (usually the external interface of the local FortiGate unit). If the IP address in the certificate does not match the IP address of this interface (or if the domain name in the certificate does not match a DNS query of the FortiGate unit’s IP), then some implementations of IKE may reject the connection. Enforcement of this rule varies for different IPSec products.
[<optional_information>]
Enter optional_information as required to further identify the certificate. See “Optional information variables” for the list of optional information variables. You must enter the optional variables in order that they are listed in the table. To enter any optional variable you must enter all of the variables that come before it in the list. For example, to enter the organization_name_str, you must first enter the country_code_str, state_name_str, and city_name_str. While entering optional variables, you can type ? for help on the next required variable.
Optional information variables
Variable
Description
<country_code_str>
Enter the two-character country code. Enter execute vpn certificates local generate <name_str> country followed by a ? for a list of country codes. The country code is case sensitive. Enter null if you do not want to specify a country.
<state_name_str>
Enter the name of the state or province where the FortiGate unit is located.
<city_name_str>
Enter the name of the city, or town, where the person or organization certifying the FortiGate unit resides.
<organization‑name_str>
Enter the name of the organization that is requesting the certificate for the FortiGate unit.
<organization‑unit_name_str>
Enter a name that identifies the department or unit within the organization that is requesting the certificate for the FortiGate unit.
<email_address_str>
Enter a contact e-mail address for the FortiGate unit.
<ca_server_url>
Enter the URL of the CA (SCEP) certificate server that allows auto-signing of the request.
<challenge_password>
Enter the challenge password for the SCEP certificate server.
Example
Use the following command to generate a local certificate request with the name branch_cert, the domain name www.example.com and a key size of 1536.
execute vpn certificate local generate branch_cert 1536 www.example.com