Use this command to manage certificate revocation lists (CRL). You can enable CRL by importing a CRL file or specifying a CRL URL.
A CRL is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. The file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.
Some potential reasons for certificates to be revoked include:
You can upload a CRL file or specify a URL for the CRL file.
Online certificate status protocol (OCSP) is an alternative to CRL. OCSP is useful when you do not want to deploy CRL files, for example, or want to avoid the public exposure of your PKI structure even if it is only invalid certificates. |
Before you begin:
config system certificate crl
edit <name>
set crl <certificate>
set http-url <string>
set scep-url <string>
next
end
crl |
Paste the contents of a CRL certificate file between quotation marks as shown in the example. |
http-url |
Specify an HTTP URL. |
scep-url |
Specify a SCEP URL. |
FortiADC-VM # config system certificate crl
FortiADC-VM (new-crl) # set crl "-----BEGIN X509 CRL-----
> MIIBxTCBrgIBATANBgkqhkiG9w0BAQsFADBrMRMwEQYKCZImiZPyLGQBGRYDb3Jn
> MRcwFQYKCZImiZPyLGQBGRYHY2lsb2dvbjELMAkGA1UEBhMCVVMxEDAOBgNVBAoT
> B0NJTG9nb24xHDAaBgNVBAMTE0NJTG9nb24gU2lsdmVyIENBIDEXDTE1MDMxNzA4
> NDIwM1oXDTE1MDQxNjA4NDIwM1qgDzANMAsGA1UdFAQEAgIR8DANBgkqhkiG9w0B
> AQsFAAOCAQEAxTbPy5RGtqyE9VLAzNReCBlIcq3PxiLyuBkyniSZdwAkE8znwXLh
> CYBRCLhkY87sGBqRB1lU4v31RIVsy4AMuJrL2B2ClOa2aEry+PcMMehKnIZcTtMi
> YBvCDsbZSGM1JsxCGMakDaMCMqIpVwcnwzoY7rYtlvzlDfUJVMs+hTyRcqq326/l
> smNcUkLhy4U5ydqFqMT2SaLXDw7hsxEARU7AHhWssgDgAPk/UdH4IxNNtmNb4mcK
> j+D87pdYeXLcHqqv+OhCS70e/dmTJPwXrn9ZmG6gjBxPb2MUbUNw252JnFaRpj58
> aVuuSGcqLs2fVs1rGLRW4Pw8aHF3cafbew==
> -----END X509 CRL-----"
FortiADC-VM (new-crl) # end