Fortinet black logo

CLI Reference

certificate crl

certificate crl

Note: The following command is only available when VDOMs are enabled.

Use this command to install a Certificate Revocation List (CRL) for this VDOM. When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the signed local certificate and the CRL.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.5.

Command Description

set source {factory | user | bundle}

The fortiguard option has been removed

config certificate crl
    edit {name}
    # Certificate Revocation List as a PEM file.
        set name {string}   Name. size[35]
        set crl {string}   Certificate Revocation List as a PEM file.
        set range {global | vdom}   Either global or VDOM IP address range for the certificate.
                global  Global range.
                vdom    VDOM IP address range.
        set source {factory | user | bundle}   Certificate source type.
                factory  Factory installed certificate.
                user     User generated certificate.
                bundle   Bundle file certificate.
        set update-vdom {string}   VDOM for CRL update. size[31] - datasource(s): system.vdom.name
        set ldap-server {string}   LDAP server name for CRL auto-update. size[35]
        set ldap-username {string}   LDAP server user name. size[63]
        set ldap-password {password_string}   LDAP server user password. size[128]
        set http-url {string}   HTTP server URL for CRL auto-update. size[255]
        set scep-url {string}   SCEP server URL for CRL auto-update. size[255]
        set scep-cert {string}   Local certificate for SCEP communication for CRL auto-update. size[35] - datasource(s): certificate.local.name
        set update-interval {integer}   Time in seconds before the FortiGate checks for an updated CRL. Set to 0 to update only when it expires. range[0-4294967295]
        set source-ip {ipv4 address}   Source IP address for communications to a HTTP or SCEP CA server.
        set last-updated {integer}   Time at which CRL was last updated. range[0-4294967295]
    next
end

Additional information

The following section is for those options that require additional explanation.

crl <pem-file>

The name of the CRL in Privacy Enhanced Mail (PEM) format.

http-url <url>

URL of an HTTP server used for automatic CRL certificate updates. The URL must begin with either http:// or https://.

last-updated <days>

Note: This entry is only available when a crl has been set.

Amount of time in days since the CRL was last updated.

ldap-password <password>

Note: This entry is only available when ldap-server has been set. LDAP login password.

ldap-server <name>

Name of the LDAP server defined in config user ldap for CRL auto-update.

ldap-username <name>

Note: This entry is only available when ldap-server has been set. LDAP login name.

range {global | vdom}

Either global (by default) or vdom IP address range for the certificate.

scep-cert <cert>

Local certificate used for SCEP communication for CRL auto-update. If a certificate hasn't already been set, the default certificate used is Fortinet_CA_SSL.

scep-url <url>

URL of the SCEP server used for automatic CRL certificate updates. The URL must begin with either http:// or https://.

source {factory | user | bundle}

CA certificate source:

  • factory: Default certificate that came with the FortiGate
  • user: User certificate (set by default)
  • bundle: Certificate from a bundle file

source-ip <ipv4-address>

IPv4 address used to verify that the request is sent from an expected IP.

update-interval <interval>

Period of time in seconds before the FortiGate unit checks for an updated CRL. Enter 0 (by default) to update the CRL only when it expires.

update-vdom <vdom>

Name of the VDOM for CRL update. This is set to the root VDOM by default.

certificate crl

Note: The following command is only available when VDOMs are enabled.

Use this command to install a Certificate Revocation List (CRL) for this VDOM. When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the signed local certificate and the CRL.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.5.

Command Description

set source {factory | user | bundle}

The fortiguard option has been removed

config certificate crl
    edit {name}
    # Certificate Revocation List as a PEM file.
        set name {string}   Name. size[35]
        set crl {string}   Certificate Revocation List as a PEM file.
        set range {global | vdom}   Either global or VDOM IP address range for the certificate.
                global  Global range.
                vdom    VDOM IP address range.
        set source {factory | user | bundle}   Certificate source type.
                factory  Factory installed certificate.
                user     User generated certificate.
                bundle   Bundle file certificate.
        set update-vdom {string}   VDOM for CRL update. size[31] - datasource(s): system.vdom.name
        set ldap-server {string}   LDAP server name for CRL auto-update. size[35]
        set ldap-username {string}   LDAP server user name. size[63]
        set ldap-password {password_string}   LDAP server user password. size[128]
        set http-url {string}   HTTP server URL for CRL auto-update. size[255]
        set scep-url {string}   SCEP server URL for CRL auto-update. size[255]
        set scep-cert {string}   Local certificate for SCEP communication for CRL auto-update. size[35] - datasource(s): certificate.local.name
        set update-interval {integer}   Time in seconds before the FortiGate checks for an updated CRL. Set to 0 to update only when it expires. range[0-4294967295]
        set source-ip {ipv4 address}   Source IP address for communications to a HTTP or SCEP CA server.
        set last-updated {integer}   Time at which CRL was last updated. range[0-4294967295]
    next
end

Additional information

The following section is for those options that require additional explanation.

crl <pem-file>

The name of the CRL in Privacy Enhanced Mail (PEM) format.

http-url <url>

URL of an HTTP server used for automatic CRL certificate updates. The URL must begin with either http:// or https://.

last-updated <days>

Note: This entry is only available when a crl has been set.

Amount of time in days since the CRL was last updated.

ldap-password <password>

Note: This entry is only available when ldap-server has been set. LDAP login password.

ldap-server <name>

Name of the LDAP server defined in config user ldap for CRL auto-update.

ldap-username <name>

Note: This entry is only available when ldap-server has been set. LDAP login name.

range {global | vdom}

Either global (by default) or vdom IP address range for the certificate.

scep-cert <cert>

Local certificate used for SCEP communication for CRL auto-update. If a certificate hasn't already been set, the default certificate used is Fortinet_CA_SSL.

scep-url <url>

URL of the SCEP server used for automatic CRL certificate updates. The URL must begin with either http:// or https://.

source {factory | user | bundle}

CA certificate source:

  • factory: Default certificate that came with the FortiGate
  • user: User certificate (set by default)
  • bundle: Certificate from a bundle file

source-ip <ipv4-address>

IPv4 address used to verify that the request is sent from an expected IP.

update-interval <interval>

Period of time in seconds before the FortiGate unit checks for an updated CRL. Enter 0 (by default) to update the CRL only when it expires.

update-vdom <vdom>

Name of the VDOM for CRL update. This is set to the root VDOM by default.