This article explains how to generate a Local Certificate via the CLI on a FortiSwitch. It is useful when an error occurs while generating a Local Certificate via the GUI, allowing it to be created and exported via TFTP.
Scope
FortiSwitch managed via FortiGate and standalone modes.
Solution
To generate a local certificate using the CLI, collect the following information.
Local certificate name:
Key size (1024, 1536, 2048, 4096; default: 2048).
Subject (Host IP, Domain Name, or E-mail).
Country name (e.g., 'Canada') or country code (e.g., 'CA'); enter 'null' for none.
State.
City.
Organization.
Unit.
E-mail.
SAN - Subject Alternative Name (optional).
URL of the CA server for signing via SCEP (optional).
Challenge password for signing via SCEP (optional).
Source IP for communications with the CA server (optional).
CA identifier of the CA server for signing via SCEP (optional).
Password for the private key (optional).
To create the local certificate on the FortiSwitch CLI, use the following command:
execute system certificate local generate rsa <Local_certificate_name> <Keysize> <Subject> <Country_Name> <State> <City> <Org> <Unit> <Email> <SAN>
To export the local certificate via TFTP, use the following command:
execute system certificate local export tftp <Local_certificate_name> <File_name_on_the_TFTP_server> <TFTP_server_IP
Note:
While downloading the Certificate, a PC with TFTP should be in the same subnet as of the Internal Interface of the FortiSwitch to be Reachable.
While creating the Local Certificate, do not enter spaces, else the command will not be executed properly. For example, use 'Serious_Fun_Enterprises' or 'SeriousFunEnterprises' rather than 'Serious Fun Enterprises'. This ensures the command runs properly.
