Fortinet black logo

Administration Guide

Revoking certificates

Revoking certificates

To ensure that FortiWeb validates only certificates that have not been revoked, you should periodically upload current certificate revocation lists (CRL) that may be provided by certificate authorities (CA). Once you've uploaded the CRL(s) you want to use, create CRL groups to include in your FortiWeb configuration.

To view or upload a CRL file
  1. Go to Server Objects > Certificates > CRL and select the CRL tab.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
  2. Click Import.
  3. Do one of the following to import a CRL file:
  • Select HTTP, then enter the URL of an HTTP site providing a CRL service.
  • Select SCEP, then enter the URL of the applicable Simple Certificate Enrollment Protocol (SCEP) server. SCEP allows routers and other intermediate network devices to obtain certificates.
  • Select Local PC, then browse to locate a certificate file.

Note: The maximum size for a CRL file is 4 MB.

  • Click OK.
    The imported CRL file appears on Server Objects > Certificates > CRL with a name automatically assigned by the FortiWeb appliance, such as CRL_1.
  • To use the CRL for client PKI authentication, add the CRL to a CRL group and select that group in a certificate verification rule. For details, see Configuring FortiWeb to validate client certificates.
  • To create a CRL group
    1. Go to Server Objects > Certificates > CRL and select the CRL Group tab.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    2. Click Create New. You will use this name to select the CRL group in other parts of the configuration. The maximum length is 63 characters.
    3. Click OK.
    4. Click Create New to add a CRL to the group.
    5. Select a CRL from the drop-down menu to include in the group.
    6. Click OK.
    7. Repeat the above steps to include additional CRLs in the group.
    8. To use the CRL group for client PKI authentication, select the CRL group in a certificate verification rule. For details, see Configuring FortiWeb to validate client certificates.

    Revoking certificates

    To ensure that FortiWeb validates only certificates that have not been revoked, you should periodically upload current certificate revocation lists (CRL) that may be provided by certificate authorities (CA). Once you've uploaded the CRL(s) you want to use, create CRL groups to include in your FortiWeb configuration.

    To view or upload a CRL file
    1. Go to Server Objects > Certificates > CRL and select the CRL tab.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    2. Click Import.
    3. Do one of the following to import a CRL file:
    • Select HTTP, then enter the URL of an HTTP site providing a CRL service.
    • Select SCEP, then enter the URL of the applicable Simple Certificate Enrollment Protocol (SCEP) server. SCEP allows routers and other intermediate network devices to obtain certificates.
    • Select Local PC, then browse to locate a certificate file.

    Note: The maximum size for a CRL file is 4 MB.

  • Click OK.
    The imported CRL file appears on Server Objects > Certificates > CRL with a name automatically assigned by the FortiWeb appliance, such as CRL_1.
  • To use the CRL for client PKI authentication, add the CRL to a CRL group and select that group in a certificate verification rule. For details, see Configuring FortiWeb to validate client certificates.
  • To create a CRL group
    1. Go to Server Objects > Certificates > CRL and select the CRL Group tab.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    2. Click Create New. You will use this name to select the CRL group in other parts of the configuration. The maximum length is 63 characters.
    3. Click OK.
    4. Click Create New to add a CRL to the group.
    5. Select a CRL from the drop-down menu to include in the group.
    6. Click OK.
    7. Repeat the above steps to include additional CRLs in the group.
    8. To use the CRL group for client PKI authentication, select the CRL group in a certificate verification rule. For details, see Configuring FortiWeb to validate client certificates.