Fortinet black logo

Administration Guide

Certificate revocations lists

Certificate revocations lists

A certificate revocation list (CRL) is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. The file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.

Some potential reasons certificates can be revoked include:

  • A CA server was hacked and its certificates are no longer trusted.
  • A single certificate was compromised and is no longer trusted.
  • A certificate has expired and cannot be used past its lifetime.

Go to Certificate Management > Certificate Authorities > CRLs to view the CRL list.

The following information is shown:

Import Import a CRL.
Automatic Downloads Select to view automatically downloaded CRLs. Select View CRLs to switch back to the regular CRL view.
Export Save the selected CRL to your computer.
CA Type The CA type of CRL.
Issuer name The name of the issuer of the CRL.
Subject The CRL’s subject.
Revoked Certificates The number of revoked certificates in the CRL.
To import a CRL:
  1. Download the most recent CRL from a CDP. One or more CDPs are usually listed in a certificate under the Details tab.
  2. From the CRL list, select Import.
  3. Select Choose File to locate the file on your computer, then select OK to import the list.
    Note

    Before importing a CRL file, make sure that either a local CA certificate or a trusted CA certificate for this CRL has first been imported.

    When successful, the CRL is displayed in the CRL list on the FortiAuthenticator. You can select it to see the details (see To view certificate details:).

Locally created CRLs

When you import a CRL, it is from another authority. If you are creating your own CA certificates, you can also create your own CRL to accompany them.

As a CA, you sign user certificates. If for any reason you need to revoke one of those certificates, it will go on a local CRL. When this happens you must export the CRL to all your certificate users so they are aware of the revoked certificate.

To create a local CRL:
  1. Create a local CA certificate. See Local CAs.
  2. Create one or more user certificates. See End entities.
  3. Go to Certificate Management > End Entities > Users, select one or more certificates, and select Revoke. See To revoke a certificate:.

    The selected certificates are removed from the user certificate list and a CRL is created with those certificates as entries in the list. If there is already a CRL for the CA that signed the user certificates, the certificates is added to the current CRL.

    note icon If later one or more CAs are deleted, their corresponding CRLs will also be deleted, along with any user certificates that they signed.

Configuring OCSP

FortiAuthenticator also supports Online Certificate Status Protocol (OCSP), defined in RFC 2560. To use OCSP, configure the FortiGate unit to use TCP port 2560 on the FortiAuthenticator IP address.

For example, enter the following to configure OCSP on the FortiGate CLI Console, where the URL is the IP address of the FortiAuthenticator:

config vpn certificate ocsp-server

edit FortiAuthenticator_ocsp

set cert "REMOTE_Cert_1"

set url "http://172.20.120.16:2560"

end

Certificate revocations lists

A certificate revocation list (CRL) is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. The file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.

Some potential reasons certificates can be revoked include:

  • A CA server was hacked and its certificates are no longer trusted.
  • A single certificate was compromised and is no longer trusted.
  • A certificate has expired and cannot be used past its lifetime.

Go to Certificate Management > Certificate Authorities > CRLs to view the CRL list.

The following information is shown:

Import Import a CRL.
Automatic Downloads Select to view automatically downloaded CRLs. Select View CRLs to switch back to the regular CRL view.
Export Save the selected CRL to your computer.
CA Type The CA type of CRL.
Issuer name The name of the issuer of the CRL.
Subject The CRL’s subject.
Revoked Certificates The number of revoked certificates in the CRL.
To import a CRL:
  1. Download the most recent CRL from a CDP. One or more CDPs are usually listed in a certificate under the Details tab.
  2. From the CRL list, select Import.
  3. Select Choose File to locate the file on your computer, then select OK to import the list.
    Note

    Before importing a CRL file, make sure that either a local CA certificate or a trusted CA certificate for this CRL has first been imported.

    When successful, the CRL is displayed in the CRL list on the FortiAuthenticator. You can select it to see the details (see To view certificate details:).

Locally created CRLs

When you import a CRL, it is from another authority. If you are creating your own CA certificates, you can also create your own CRL to accompany them.

As a CA, you sign user certificates. If for any reason you need to revoke one of those certificates, it will go on a local CRL. When this happens you must export the CRL to all your certificate users so they are aware of the revoked certificate.

To create a local CRL:
  1. Create a local CA certificate. See Local CAs.
  2. Create one or more user certificates. See End entities.
  3. Go to Certificate Management > End Entities > Users, select one or more certificates, and select Revoke. See To revoke a certificate:.

    The selected certificates are removed from the user certificate list and a CRL is created with those certificates as entries in the list. If there is already a CRL for the CA that signed the user certificates, the certificates is added to the current CRL.

    note icon If later one or more CAs are deleted, their corresponding CRLs will also be deleted, along with any user certificates that they signed.

Configuring OCSP

FortiAuthenticator also supports Online Certificate Status Protocol (OCSP), defined in RFC 2560. To use OCSP, configure the FortiGate unit to use TCP port 2560 on the FortiAuthenticator IP address.

For example, enter the following to configure OCSP on the FortiGate CLI Console, where the URL is the IP address of the FortiAuthenticator:

config vpn certificate ocsp-server

edit FortiAuthenticator_ocsp

set cert "REMOTE_Cert_1"

set url "http://172.20.120.16:2560"

end