Chapter 3 Authentication for FortiOS 5.0 : Certificate-based authentication : Managing X.509 certificates : Online updates to certificates and CRLs : Local certificates
  
Local certificates
In the config vpn certificate local command, you can specify automatic certificate renewal. The relevant fields are:
scep-url <URL_str>
The URL of the SCEP server. This can be HTTP or HTTPS. The following options appear after you add the <URL_str>.
scep-password <password_str>
The password for the SCEP server.
auto-regenerate-days <days_int>
How many days before expiry the FortiGate unit requests an updated local certificate. The default is 0, no auto-update.
auto-regenerate-days-warning <days_int>
How many days before local certificate expiry the FortiGate generates a warning message. The default is 0,no warning.
In this example, an updated certificate is requested three days before it expires.
config vpn certificate local
edit mycert
set scep-url http://scep.example.com/scep
set scep-server-password my_pass_123
set auto-regenerate-days 3
set auto-regenerate-days-warning 2
end