revoke certificate (ipsec vpn)

Forum|Forum|8 years ago
July 19, 2017
1 reply
12489 views

Hello,

short question how to revoke single certificate used for certificate authenticated ipsec vpn?

I've used openssl to generate CA and user certificates, lets say one laptop was stolen, how to revoke certificate to block connections?

There is an option to import CRL... but what next? :)

xsilver_FTNT

Staff

Hi,

use your CA and revoke that cert. Make the CA list it in CRL list.

Check the CRL list on your CA, or revoked cert, and look for CRLDistibutionPoint URL.

Then you can either export CRL on CA and import it into FortiOS, or set FortiGate to periodically check and refresh CRL list from CA, for example via HTTP.

In FortiOS use GUI or CLI to import, or automatically keep latest CRL.

From CLI point of view it might look like this:

config certificate crl edit "CA.crl" set http-url "http://yourCA.example.com/cert/crl/example.rootCA.crl" set update-interval 300 next end

Debug: command bellow, or 'show full certificate crl', or in GUI show or download the CRL list to see revoked certs.

Be aware that GUI overview just shows [strike]last[/strike] first 100 revoked certs, so if the list is expected to be longer then download what FortiGate got from CRL Distribution point or simply download the list to you by following that link and you should be offered with the CRL list file.

diag debug application crl-upodate -1

diag debug enable

To the actual openSSL cert handling . .how about Google something like this from StackOverflow ?

https://stackoverflow.com...t-have-the-certificate

Regards,

Tomas

yiWpAuthor

New Member

Thanks Im gonna do some test this weekend :)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded