To generate a local certificate using the CLI, collect the following information.

Local certificate name:

• Key size (1024, 1536, 2048, 4096; default: 2048).
• Subject (Host IP, Domain Name, or E-mail).
• Country name (e.g., 'Canada') or country code (e.g., 'CA'); enter 'null' for none.
• State.
• City.
• Organization.
• Unit.
• E-mail.
• SAN - Subject Alternative Name (optional).
• URL of the CA server for signing via SCEP (optional).
• Challenge password for signing via SCEP (optional).
• Source IP for communications with the CA server (optional).
• CA identifier of the CA server for signing via SCEP (optional).
• Password for the private key (optional).

To create the local certificate on the FortiSwitch CLI, use the following command:

execute system certificate local generate rsa <Local_certificate_name> <Keysize> <Subject> <Country_Name> <State> <City> <Org> <Unit> <Email> <SAN>

To export the local certificate via TFTP, use the following command:

execute system certificate local export tftp <Local_certificate_name> <File_name_on_the_TFTP_server> <TFTP_server_IP

Note:

• While downloading the Certificate, a PC with TFTP should be in the same subnet as of the Internal Interface of the FortiSwitch to be Reachable.
• While creating the Local Certificate, do not enter spaces, else the command will not be executed properly. For example, use 'Serious_Fun_Enterprises' or 'SeriousFunEnterprises' rather than 'Serious Fun Enterprises'. This ensures the command runs properly.