Revoking certificates
To ensure that FortiWeb validates only certificates that have not been revoked, you should periodically upload current certificate revocation lists (CRL) that may be provided by certificate authorities (CA). Once you've uploaded the CRL(s) you want to use, create CRL groups to include in your FortiWeb configuration.
To view or upload a CRL file
- Go to Server Objects > Certificates > CRL and select the CRL tab.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions. - Click Import.
- Do one of the following to import a CRL file:
- Select HTTP, then enter the URL of an HTTP site providing a CRL service.
- Select SCEP, then enter the URL of the applicable Simple Certificate Enrollment Protocol (SCEP) server. SCEP allows routers and other intermediate network devices to obtain certificates.
- Select Local PC, then browse to locate a certificate file.
Note: The maximum size for a CRL file is 4 MB.
The imported CRL file appears on Server Objects > Certificates > CRL with a name automatically assigned by the FortiWeb appliance, such as CRL_1.
If the CRL is expired, the system will block the client traffic even if it has a valid certificate. You can allow the use of previously retrieved CRLs in situations where the current CRL distribution point retrievals fail, are pending, or when you want to manually upload a CRL file. config system certificate verify set crl-allow-expired enable end We highly recommend enabling it as a temporary solution only when the CRL has expired. Ideally, we strongly suggest using the most up-to-date CRL file at all times to ensure that the client with revoked certificates can be promptly blocked. |
To create a CRL group
- Go to Server Objects > Certificates > CRL and select the CRL Group tab.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions. - Click Create New. You will use this name to select the CRL group in other parts of the configuration. The maximum length is 63 characters.
- Click OK.
- Click Create New to add a CRL to the group.
- Select a CRL from the drop-down menu to include in the group.
- Click OK.
- Repeat the above steps to include additional CRLs in the group.
- To use the CRL group for client PKI authentication, select the CRL group in a certificate verification rule. For details, see Configuring FortiWeb to validate client certificates.