Certificate Revocation List Commands

You are here: Using the CLI > Context Command Summaries > Certificate Revocation List Commands

Certificate Revocation List Commands

The crl context provides commands for managing Certificate Revocation Lists (or CRLs). CRLs can be used to verify that the certificates used by FortiADC are valid and have not been compromised. A CRL is uploaded to FortiADC using commands in the crl context, and then associated with one or more clusters in the cluster specific context. Whenever a certificate is used to authenticate a connection to the cluster, the CRL is checked to make sure the certificate being used has not been revoked. The supported commands in the crl context are shown in the following tables.

Note - If a CRL attached to a cluster was generated by a Certificate Authority (CA) different from the CA used to generate a client certificate presented when connecting to the cluster, an error occurs. The CRL and client certificate must be signed by the same CA.

Using CRL commands in the global context:

Using CRL Commands in the Global Context
eqcli > certificate certname [cmd ...]	:	Create certname (req_cmds = * commands below)
eqcli > certificate certname cmd ...	:	Modify certname (cmd = any commands below)
eqcli > no certificate certname	:	Delete certname
eqcli > show certificate [certname]	:	Display all certificates or certname
eqcli > certificate certname	:	Change to "cert-certname" context (see below)

Using CRL commands in a CRL specific context:

Using CRL Commands in a CRL specific Context
eqcli crl-crlname> crlfile {edit\|url}	:	Upload the CRL
eqcli crl-crlname> show	:	Display CRL crlname

The arguments to the crlfile command are:

edit - Launch an editor to supply the content of the CRL file.
url - Download the CRL file from the ftp:// or http:// protocol URL supplied on the command line.