Fortinet black logo

CLI Reference

config system certificate crl

config system certificate crl

Use this command to manage certificate revocation lists (CRL). You can enable CRL by importing a CRL file or specifying a CRL URL.

A CRL is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. The file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.

Some potential reasons for certificates to be revoked include:

  • A CA server was hacked and its certificates are no longer trustworthy.
  • A single certificate was compromised and is no longer trustworthy.
  • A certificates has expired and is not supposed to be used past its lifetime.

You can upload a CRL file or specify a URL for the CRL file.

Online certificate status protocol (OCSP) is an alternative to CRL. OCSP is useful when you do not want to deploy CRL files, for example, or want to avoid the public exposure of your PKI structure even if it is only invalid certificates.

Before you begin:

  • You must know the URL of a CRL server or have downloaded the CRL file and be able to browse to it so that you can upload it.
  • You must have read-write permission for system settings.

Syntax

config system certificate crl

edit <name>

set crl <certificate-filename>

set http-url <string>

set scep-url <string>

set host-header <string>

next

end

crl

Paste thename of a CRL certificate file between quotation marks as shown in the example.

http-url

Specify an HTTP URL.

scep-url

Specify a SCEP URL.

host-header

Specify a hostname in the HTTP request header.

Example

FortiADC-VM # config system certificate crl

FortiADC-VM (crl) # edit "crl"

FortiADC-VM (crl) # set crl-file global_crl.cer

FortiADC-VM (crl) # end

See also

config system certificate crl

Use this command to manage certificate revocation lists (CRL). You can enable CRL by importing a CRL file or specifying a CRL URL.

A CRL is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. The file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.

Some potential reasons for certificates to be revoked include:

  • A CA server was hacked and its certificates are no longer trustworthy.
  • A single certificate was compromised and is no longer trustworthy.
  • A certificates has expired and is not supposed to be used past its lifetime.

You can upload a CRL file or specify a URL for the CRL file.

Online certificate status protocol (OCSP) is an alternative to CRL. OCSP is useful when you do not want to deploy CRL files, for example, or want to avoid the public exposure of your PKI structure even if it is only invalid certificates.

Before you begin:

  • You must know the URL of a CRL server or have downloaded the CRL file and be able to browse to it so that you can upload it.
  • You must have read-write permission for system settings.

Syntax

config system certificate crl

edit <name>

set crl <certificate-filename>

set http-url <string>

set scep-url <string>

set host-header <string>

next

end

crl

Paste thename of a CRL certificate file between quotation marks as shown in the example.

http-url

Specify an HTTP URL.

scep-url

Specify a SCEP URL.

host-header

Specify a hostname in the HTTP request header.

Example

FortiADC-VM # config system certificate crl

FortiADC-VM (crl) # edit "crl"

FortiADC-VM (crl) # set crl-file global_crl.cer

FortiADC-VM (crl) # end

See also