Skip to main content
Bodyak
Bodyak
Explorer
February 13, 2025
Question

Revoke certificate for ipsec with CRL

  • February 13, 2025
  • 2 replies
  • 960 views

Hello.
Tell me please, 
We are trying to revoke an ipsec certificate using a CRL updated via SCEP.
The CRL is added and updated correctly, but the certificate remains in Valid status.

How can I revoke a certificate for ipsec vpn using a crl list?
And why doesn’t the fortigate change the certificate to Invalid status if its serial number is in the crl?

2 replies

Anthony_E
Staff
Anthony_E
Staff
February 14, 2025

Hello,

To revoke an IPsec certificate using a Certificate Revocation List (CRL) updated via SCEP, 

  1. Obtain the updated CRL using SCEP from the CA server.
  2. Import the CRL to the FortiGate unit: Using the GUI: under System -> Certificates -> CRLs. and  on 'Import'. Select the appropriate options based on your CRL source (HTTP, LDAP, SCEP).  Click Import.
  3.  Execute the command: 'execute system certificate crl import auto <CRL_name>`
Best Regards
Bodyak
BodyakAuthor
Explorer
February 14, 2025

Thanks for the answer.
We will import the CRL list to the device. But the certificate that we want to revoke has the Valid status.
How can we change the status? or how will fortigate understand that the certificate has been revoked and cannot be used for ipsec.
In fortios 7.2 there is no strict-crl-check parameter, from the article : https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-strict-CRL-check/ta-p/190669?externalID=FD45219

Terms & ConditionsAccessibility statement