Fortinet white logo
Fortinet white logo

Administration Guide

Certificate revocations lists

Certificate revocations lists

A certificate revocation list (CRL) is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. The file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.

Some potential reasons certificates can be revoked include:

  • A CA server was hacked and its certificates are no longer trusted.
  • A single certificate was compromised and is no longer trusted.
  • A certificate has expired and cannot be used past its lifetime.

Go to Certificate Management > Certificate Authorities > CRLs to view the CRL list.

The following information is shown:

Import

Import a CRL.

Automatic Downloads

Select to view automatically downloaded CRLs. Select View CRLs to switch back to the regular CRL view.

Export

Save the selected CRL to your computer.

CA Type

The CA type of CRL.

Issuer name

The name of the issuer of the CRL.

Subject

The CRL’s subject.

Revoked Certificates

The number of revoked certificates in the CRL.

To import a CRL:
  1. Download the most recent CRL from a CDP. One or more CDPs are usually listed in a certificate under the Details tab.
  2. From the CRL list, select Import.
  3. Select Upload a file to locate the file on your computer, then select Import to import the list.
    Note

    Before importing a CRL file, make sure that either a local CA certificate or a trusted CA certificate for this CRL has first been imported.

    When successful, the CRL is displayed in the CRL list on the FortiAuthenticator. You can select it to see the details (see To view certificate details:).

Locally created CRLs

When you import a CRL, it is from another authority. If you are creating your own CA certificates, you can also create your own CRL to accompany them.

As a CA, you sign user certificates. If for any reason you need to revoke one of those certificates, it will go on a local CRL. When this happens you must export the CRL to all your certificate users so they are aware of the revoked certificate.

To create a local CRL:
  1. Create a local CA certificate. See Local CAs.
  2. Create one or more user certificates. See End entities.
  3. Go to Certificate Management > End Entities > Users, select one or more certificates, and select Revoke. See To revoke a certificate:.

    The selected certificates are removed from the user certificate list and a CRL is created with those certificates as entries in the list. If there is already a CRL for the CA that signed the user certificates, the certificates is added to the current CRL.

    note iconIf later one or more CAs are deleted, their corresponding CRLs will also be deleted, along with any user certificates that they signed.

Configuring OCSP

FortiAuthenticator also supports Online Certificate Status Protocol (OCSP), defined in RFC 2560. To use OCSP, configure the FortiGate unit to use TCP port 2560 on the FortiAuthenticator IP address.

For example, enter the following to configure OCSP on the FortiGate CLI Console, where the URL is the IP address of the FortiAuthenticator:

config vpn certificate ocsp-server

edit FortiAuthenticator_ocsp

set cert "REMOTE_Cert_1"

set url "http://172.20.120.16:2560"

end

Certificate revocations lists

Certificate revocations lists

A certificate revocation list (CRL) is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. The file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.

Some potential reasons certificates can be revoked include:

  • A CA server was hacked and its certificates are no longer trusted.
  • A single certificate was compromised and is no longer trusted.
  • A certificate has expired and cannot be used past its lifetime.

Go to Certificate Management > Certificate Authorities > CRLs to view the CRL list.

The following information is shown:

Import

Import a CRL.

Automatic Downloads

Select to view automatically downloaded CRLs. Select View CRLs to switch back to the regular CRL view.

Export

Save the selected CRL to your computer.

CA Type

The CA type of CRL.

Issuer name

The name of the issuer of the CRL.

Subject

The CRL’s subject.

Revoked Certificates

The number of revoked certificates in the CRL.

To import a CRL:
  1. Download the most recent CRL from a CDP. One or more CDPs are usually listed in a certificate under the Details tab.
  2. From the CRL list, select Import.
  3. Select Upload a file to locate the file on your computer, then select Import to import the list.
    Note

    Before importing a CRL file, make sure that either a local CA certificate or a trusted CA certificate for this CRL has first been imported.

    When successful, the CRL is displayed in the CRL list on the FortiAuthenticator. You can select it to see the details (see To view certificate details:).

Locally created CRLs

When you import a CRL, it is from another authority. If you are creating your own CA certificates, you can also create your own CRL to accompany them.

As a CA, you sign user certificates. If for any reason you need to revoke one of those certificates, it will go on a local CRL. When this happens you must export the CRL to all your certificate users so they are aware of the revoked certificate.

To create a local CRL:
  1. Create a local CA certificate. See Local CAs.
  2. Create one or more user certificates. See End entities.
  3. Go to Certificate Management > End Entities > Users, select one or more certificates, and select Revoke. See To revoke a certificate:.

    The selected certificates are removed from the user certificate list and a CRL is created with those certificates as entries in the list. If there is already a CRL for the CA that signed the user certificates, the certificates is added to the current CRL.

    note iconIf later one or more CAs are deleted, their corresponding CRLs will also be deleted, along with any user certificates that they signed.

Configuring OCSP

FortiAuthenticator also supports Online Certificate Status Protocol (OCSP), defined in RFC 2560. To use OCSP, configure the FortiGate unit to use TCP port 2560 on the FortiAuthenticator IP address.

For example, enter the following to configure OCSP on the FortiGate CLI Console, where the URL is the IP address of the FortiAuthenticator:

config vpn certificate ocsp-server

edit FortiAuthenticator_ocsp

set cert "REMOTE_Cert_1"

set url "http://172.20.120.16:2560"

end