To ensure that FortiWeb validates only certificates that have not been revoked, you should periodically upload current certificate revocation lists (CRL) that may be provided by certificate authorities (CA). Once you've uploaded the CRL(s) you want to use, create CRL groups to include in your FortiWeb configuration.
1. Go to System > Certificates > CRL and select the CRL tab.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
2. Click Import.
3. Do one of the following to import a CRL file:
Note: The maximum size for a CRL file is 4 MB.
4. Click OK.
The imported CRL file appears on System > Certificates > CRL with a name automatically assigned by the FortiWeb appliance, such as CRL_1.
5. To use the CRL for client PKI authentication, add the CRL to a CRL group and select that group in a certificate verification rule. For details, see Configuring FortiWeb to validate client certificates.
1. Go to System > Certificates > CRL and select the CRL Group tab.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
2. Click Create New. You will use this name to select the CRL group in other parts of the configuration. The maximum length is 63 characters.
3. Click OK.
4. Click Create New to add a CRL to the group.
5. Select a CRL from the drop-down menu to include in the group.
6. Click OK.
7. Repeat the above steps to include additional CRLs in the group.
8. To use the CRL group for client PKI authentication, select the CRL group in a certificate verification rule. For details, see Configuring FortiWeb to validate client certificates.