vpn : certificate crl
 
certificate crl
Use this command to install a Certificate Revocation List (CRL).
When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the signed local certificate and the Certificate Revocation List (CRL).
The process for obtaining and installing certificates is as follows:
1. Use the execute vpn certificate local command to generate a CSR.
2. Send the CSR to a CA.
The CA sends you the CA certificate, the signed local certificate and the CRL.
3. Use the vpn certificate local command to install the signed local certificate.
4. Use the vpn certificate ca command to install the CA certificate.
5. Use the vpn certificate crl command to install the CRL.
Depending on your terminal software, you can copy the certificate and paste it into the command.
The CRL can update automatically via HTTP or Simple Certificate Enrollment Protocol (SCEP).
Syntax
config vpn certificate crl
edit <crl_name>
set crl <crl_PEM>
set ldap-server <ldap_server_name>
set ldap-username <ldap_username>
set ldap-password <ldap_password>
set scep-cert <scep_certificate>
set scep-url <scep_url>
set source-ip <ip4_addr>
set update-vdom <update_vdom>
set http-url <http_url>
set update-interval <seconds>
end
Variable
Description
Default
edit <crl_name>
Enter a name for the Certificate Revocation List (CRL).
 
crl <crl_PEM>
Enter the CRL in PEM format.
 
ldap-server <ldap_server_name>
Name of the LDAP server defined in config user ldap table for CRL auto-update.
 
ldap-username <ldap_username>
LDAP login name.
 
ldap-password <ldap_password>
LDAP login password.
 
scep-cert <scep_certificate>
Local certificate used for SCEP communication for CRL auto-update.
Fortinet-Firmware
scep-url <scep_url>
URL of the SCEP server used for automatic CRL certificate updates. The URL must begin with http:// or https://.
 
source-ip <ip4_addr>
Enter an address to verify request is send from expected IP. sourceā€‘ip can be set after local Certificate is generated.
No default.
update-vdom <update_vdom>
VDOM used to communicate with remote SCEP server for CRL auto-update.
root
http-url <http_url>
URL of an http server used for automatic CRL certificate updates. The URL must begin with http:// or https://.
 
update-interval <seconds>
Enter how frequently, in seconds, the FortiGate unit checks for an updated CRL. Enter 0 to update the CRL only when it expires.
0