| Solution |
To generate a local certificate using the CLI, collect the following information.
Local certificate name:
- Key size (1024, 1536, 2048, 4096; default: 2048).
- Subject (Host IP, Domain Name, or E-mail).
- Country name (e.g., 'Canada') or country code (e.g., 'CA'); enter 'null' for none.
- State.
- City.
- Organization.
- Unit.
- E-mail.
- SAN - Subject Alternative Name (optional).
- URL of the CA server for signing via SCEP (optional).
- Challenge password for signing via SCEP (optional).
- Source IP for communications with the CA server (optional).
- CA identifier of the CA server for signing via SCEP (optional).
- Password for the private key (optional).
To create the local certificate on the FortiSwitch CLI, use the following command:
execute system certificate local generate rsa <Local_certificate_name> <Keysize> <Subject> <Country_Name> <State> <City> <Org> <Unit> <Email> <SAN>
To export the local certificate via TFTP, use the following command:
execute system certificate local export tftp <Local_certificate_name> <File_name_on_the_TFTP_server> <TFTP_server_IP
Note:
- While downloading the Certificate, a PC with TFTP should be in the same subnet as of the Internal Interface of the FortiSwitch to be Reachable.
- While creating the Local Certificate, do not enter spaces, else the command will not be executed properly. For example, use 'Serious_Fun_Enterprises' or 'SeriousFunEnterprises' rather than 'Serious Fun Enterprises'. This ensures the command runs properly.
|
