Technical Tip: Understanding the setting of 'chain-crl-absence' in FortiGate Certificate Validation

Description

This article describes the 'chain-crl-absence' option under VPN certificate settings in FortiGate, and provides guidance on troubleshooting certificate validation failures when this option is set to 'revoke'.

Scope

FortiGate.

Solution

The 'chain-crl-absence' setting is configured under:

config vpn certificate setting
    config crl-verification
        set chain-crl-absence [ignore|revoke]
    end
end

This option determines how FortiGate handles certificate validation when the Certificate Revocation List (CRL) for any Certificate Authority (CA) in the certificate chain is missing.

This is particularly relevant in deployments requiring strict certificate validation, such as Dial-up IPsec VPN with certificate-based authentication. Details can be found in: 

Technical Tip: Configuring CRL check for Dialup IPsec VPN with certificate authentication using FortiAuthenticator as the CRL provider 

Explanation of each action for this setting:

ignore(default): CRL verification is ignored if the CRL of any CA certificate in the chain is absent.

revoke: Certificate will be revoked if the CRL of any CA certificate in the chain is absent.

The default action is 'ignore', which means FortiGate ignores missing CRLs in the certificate chain. When it comes to the scenario of the Dialup VPN certificate authentication, Certificate validation proceeds even if CRLs for intermediate or root CAs are not available.

When this option is changed to 'revoke', FortiGate requires each CA certificate in the Certificate Chain to have CRL imported in the FortiGate. This includes CRL for all Intermediate CA and Root CA. 

If the CRL for any CA in the certificate chain (intermediate or root) is missing, the certificate is treated as revoked. As a result, certificate authentication fails, and the IPsec tunnel cannot be established.

To diagnose certificate validation issues, enable the following debug commands:

diagnose debug application ike -1
diagnose debug application fnbamd -1
diagnose debug enable

In the following example, errors can be observed as highlighted:

[1720] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=44338175
[1639] auth_cert_success-id=44338175
[1068] fnbamd_cert_auth_copy_cert_status-req_id=44338175
[1076] fnbamd_cert_auth_copy_cert_status-Matched peer user 'hub_peer'
[833] fnbamd_cert_check_matched_groups-checking group with name 'hub_peer'
[895] fnbamd_cert_check_matched_groups-matched
[1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1120] fnbamd_cert_auth_copy_cert_status-CRL of cert depth 0 is absent.
[1120] fnbamd_cert_auth_copy_cert_status-CRL of cert depth 1 is absent.
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 2a0, req_id=44338175
[209] fnbamd_comm_send_result-Sending result 0 (nid 672) for req 44338175, len=2546
ike 0:hub:6: certificate validation failed
ike 0:hub:6: certificate validation failed
ike 0:hub:6: auth verify done
ike 0:hub:6: responder AUTH continuation
ike 0:hub:6: authentication failed
ike 0:hub: connection expiring due to phase1 down
ike 0:hub: deleting
ike 0:hub: deleted

The first error, 'fnbamd_cert_auth_copy_cert_status-CRL of cert depth 0 is absent', indicates the CRL at depth 0 is missing, which corresponds to the intermediate CA certificate that signed this client certificate.

The second error, 'fnbamd_cert_auth_copy_cert_status-CRL of cert depth 1 is absent' indicates the CRL at depth 1 is missing, which corresponds to the root CA.

These errors indicate that the CRLs for both the intermediate CA and root CA have not been imported into the FortiGate.

So, the following instructions need to be followed to upload the CRL into FortiGate for each CA:

Certificate Revocation List