Fortinet black logo

Handbook

Importing CRLs

Importing CRLs

A certificate revocation list (CRL) is a file that contains a list of revoked certificates with their serial numbers and their revocation dates. The file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.

Some potential reasons for certificates to be revoked include:

  • A CA server was hacked and its certificates are no longer trustworthy.
  • A single certificate was compromised and is no longer trustworthy.
  • A certificates has expired and is not supposed to be used past its lifetime.

You can either upload a CRL file from your local machine or specify the URL of the CRL file

Online Certificate Status Protocol (OCSP) is an alternative to CRL. OCSP is useful when you do not want to deploy CRL files, for example, or want to avoid the public exposure of your PKI structure. For more information, see Adding OCSPs.

Before you begin, you must:

  • Have Read-Write permission for System settings.
  • Know the URL of a CRL server or have the CRL files downloaded onto your local machine.
To import a CRL file:
  1. Go to System > Certificate > Verify.
  2. Click the CRL tab.
  3. Click Import to display the configuration editor.
  4. Complete the configuration as described in CRL configuration.
  5. Click Save when done.
  6. Repeat Steps 3 through 5 to import as many CRLs as needed.

CRL configuration

Settings Guidelines
Name Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. The maximum length is 35 characters. After you initially save the configuration, you cannot edit the name.
Import Method
HTTP If selected, FortiADC will download the CRL file from an HTTP server. You must specify the HTTP URL.
SCEP If selected, FortiADC will download the CRL file from an SCEP server. You must specify the SCEP URL.
File If selected, you will need to browse for the CRL file on your local machine and upload it into FortiADC.
LDAP If selected, FortiADC will download the CRL file from the LDAP server (User Authentication > Remote Server > LDAP Server).
CRLDP If selected, FortiADC will get the address of the CRL file from the extension ("CRL Distribution Points") stored in the client certificate.

Importing CRLs

A certificate revocation list (CRL) is a file that contains a list of revoked certificates with their serial numbers and their revocation dates. The file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.

Some potential reasons for certificates to be revoked include:

  • A CA server was hacked and its certificates are no longer trustworthy.
  • A single certificate was compromised and is no longer trustworthy.
  • A certificates has expired and is not supposed to be used past its lifetime.

You can either upload a CRL file from your local machine or specify the URL of the CRL file

Online Certificate Status Protocol (OCSP) is an alternative to CRL. OCSP is useful when you do not want to deploy CRL files, for example, or want to avoid the public exposure of your PKI structure. For more information, see Adding OCSPs.

Before you begin, you must:

  • Have Read-Write permission for System settings.
  • Know the URL of a CRL server or have the CRL files downloaded onto your local machine.
To import a CRL file:
  1. Go to System > Certificate > Verify.
  2. Click the CRL tab.
  3. Click Import to display the configuration editor.
  4. Complete the configuration as described in CRL configuration.
  5. Click Save when done.
  6. Repeat Steps 3 through 5 to import as many CRLs as needed.

CRL configuration

Settings Guidelines
Name Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. The maximum length is 35 characters. After you initially save the configuration, you cannot edit the name.
Import Method
HTTP If selected, FortiADC will download the CRL file from an HTTP server. You must specify the HTTP URL.
SCEP If selected, FortiADC will download the CRL file from an SCEP server. You must specify the SCEP URL.
File If selected, you will need to browse for the CRL file on your local machine and upload it into FortiADC.
LDAP If selected, FortiADC will download the CRL file from the LDAP server (User Authentication > Remote Server > LDAP Server).
CRLDP If selected, FortiADC will get the address of the CRL file from the extension ("CRL Distribution Points") stored in the client certificate.