Secure connections (SSL/TLS) : Revoking certificates
Revoking certificates
To ensure that your FortiADC appliance validates only certificates that have not been revoked, you should periodically upload a current certificate revocation list (CRL), which may be provided by certificate authorities (CA).
Alternatively, you can use HTTP or online certificate status protocol (OCSP) to query for certificate status. This can be useful when you do not want to deploy CRL files, for example, or want to avoid the public exposure of your PKI structure even if it is only invalid certificates. For more information, see “Revoking certificates by OCSP query”.
To view or upload a CRL file
1. Go to System > Certificates > CRL.
To access this part of the web UI, your administrator's account access profile must have Read-Write permission to items in the System category. For details, see “Permissions”.
2. To upload a CRL file, click Import.
A dialog appears.
3. Do one of the following to locate a CRL file:
Select HTTP, then enter the URL of an HTTP site providing a CRL service.
Select SCEP, then enter the URL of the applicable Simple Certificate Enrollment Protocol server. (SCEP allows routers and other intermediate network devices to generate CSRs and/or download certificates.)
Select Local PC, then browse to locate a CRL file.
4. Click Import.
The imported CRL file appears on System > Certificates > CRL with a name automatically assigned by the FortiADC appliance, such as CRL_1.
5. To use the CRL for client PKI authentication, select the CRL in a certificate verification rule (see “Configuring FortiADC to validate certificates”).
See also
Revoking certificates by OCSP query