Fortinet black logo

Administration Guide

Certificate revocation list

Certificate revocation list

Because it is not possible to recall a certificate, the certificate revocation list (CRL) details certificates signed by valid CAs that should no longer be trusted. Certificates may be revoked for many reasons, such as if the certificate was issued erroneously or if the private key of a valid certificate has been compromised.

To import a CRL in the GUI:
  1. Go to System > Certificates and select Create/Import > CRL.

  2. Set the Import Method to File Based or Online Updating.

    • File Based: Upload the CRL file directly from the management computer. CAs publish files containing the list of certificates that should no longer be trusted.

    • Online Updating: This is the preferred method to keep the list of revoked certificates up to date. Configure the protocols as required.

      • HTTP: Enter the URL of the HTTP server.

      • LDAP: Select the LDAP Server and enter the Username and Password.

      • SCEP: Select the Certificate and enter the URL of the SCEP server.

  3. Click OK.

To import a CRL in the CLI:
# execute vpn certificate crl import auto <CRL_name>

Certificate revocation list

Because it is not possible to recall a certificate, the certificate revocation list (CRL) details certificates signed by valid CAs that should no longer be trusted. Certificates may be revoked for many reasons, such as if the certificate was issued erroneously or if the private key of a valid certificate has been compromised.

To import a CRL in the GUI:
  1. Go to System > Certificates and select Create/Import > CRL.

  2. Set the Import Method to File Based or Online Updating.

    • File Based: Upload the CRL file directly from the management computer. CAs publish files containing the list of certificates that should no longer be trusted.

    • Online Updating: This is the preferred method to keep the list of revoked certificates up to date. Configure the protocols as required.

      • HTTP: Enter the URL of the HTTP server.

      • LDAP: Select the LDAP Server and enter the Username and Password.

      • SCEP: Select the Certificate and enter the URL of the SCEP server.

  3. Click OK.

To import a CRL in the CLI:
# execute vpn certificate crl import auto <CRL_name>