Chapter 1 What’s New for FortiOS 5.2.1 : IPsec VPN : Internet Key Exchange (IKE) : Certificates Groups
  
Certificates Groups
IKE certificate groups consisting of up to four RSA certificates can now be used in IKE phase 1. Since CA and local certificates are global, the IKE daemon loads them once for all VDOMss and indexes them into trees based on subject and public key hash (for CA certificates), or certificate name (for local certificates). Certificates are linked together based on the issuer, and certificate chains are built by traversing these links. This reduces the need to keep multiple copies of certificates that could exist in multiple chains.
IKE certificate groups can be configured through the CLI.
Configuring the IKE local ID
config vpn certificate local
edit <name>
set ike-localid <string>
set ike-localid-type {asn1dn | fqdn}
end
end
Adding certificates to the group
config vpn ipsec {phase1 | phase1-interface}
edit <name>
set rsa-certificate <name>
end
end