Chapter 3 Authentication for FortiOS 5.0 : Certificate-based authentication : Managing X.509 certificates : Online updates to certificates and CRLs : CA certificates
  
CA certificates
In the config vpn certificate ca command, you can specify automatic certificate renewal. The relevant fields are:
scep-url <URL_str>
The URL of the SCEP server. This can be HTTP or HTTPS.
auto-update-days <days_int>
How many days before expiry the FortiGate unit requests an updated CA certificate. The default is 0, no auto-update.
auto-update-days-warning <days_int>
How many days before CA certificate expiry the FortiGate generates a warning message. The default is 0,no warning.
In this example, an updated certificate is requested three days before it expires.
config vpn certificate ca
edit mycert
set scep-url http://scep.example.com/scep
set auto-update-days 3
set auto-update-days-warning 2
end