Purpose
This articles will show the configuration necessary to enable CRL updates using LDAP, in a Microsoft CA environment.
Expectations, Requirements
The following information is required:
Configuration
Using the GUI, go to System, Config, Features, and make sure you have "Certificates" enabled.
Import the CA file. This is performed under System, Config, Certificates. You can rename the system generated name to be more descriptive, by using the CLI:
Next, create the LDAP object that will be used to retrieve the CRLs. For this we require the full LDAP path where the CRL is located. This can be obtained by the following means:
NOTE: If you select the highlighted section above, you can copy and paste it by using Control-C.
In this case, the CRL path is:
CN=Example%20Root%20Authority,CN=vsrvz-svb25,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=example,DC=org
However, we must replace each "%20" instance with a space, which yields this CRL path:
CN=Example Root Authority,CN=vsrvz-svb25,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=org
Using the GUI, go to User&Device, Authentication, LDAP servers, and click "Create New." Provide the LDAP server information, and the Distinguished Name is the path above. The Bind Type can be left to the default (Simple,) as the LDAP account information will be provided in the CRL section.
You can also create the CRL entry via the CLI:
You can also rename the system generated name to something more descriptive, using the CLI:
Verification
The CRL should show something under Subject:
If you select the certificate and choose "View Certificate Detail", you should see lots of CRL details:
Using the CLI, the "crl" field should be populated, as seen below:
Troubleshooting
In the case of CRL update failures, a packet capture of the LDAP server is required to determine the reason for the failure. If LDAPS or STARTTLS is enabled, it may be necessary to temporarily remove the encryption so the LDAP query and response can be seen. Additionally, troubleshooting may need to be performed on the LDAP server itself.
Failed CRL update log message:
date=2014-09-09 time=00:28:49 logid=0101041990 type=event subtype=vpn level=information vd="root" action="alert" cert-type=CRL status="failure" name="vsrvz-svb25-CRL" method="LDAP" msg="Certificate update failed"
Successful CRL update log message:
date=2014-09-09 time=00:29:40 logid=0101041987 type=event subtype=vpn level=information vd="root" action="info" cert-type=CRL status="success" name="vsrvz-svb25-CRL" method="LDAP" msg="A certificate is updated"
This articles will show the configuration necessary to enable CRL updates using LDAP, in a Microsoft CA environment.
Expectations, Requirements
The following information is required:
- CA certificate file
- CRL file (optional)
- LDAP server addresses or DNS names to be used for retrieving the CRL
- LDAP server username and password for connectivity (required by Microsoft Active Directory)
- LDAP object location where the CRL is stored
Configuration
Using the GUI, go to System, Config, Features, and make sure you have "Certificates" enabled.
Import the CA file. This is performed under System, Config, Certificates. You can rename the system generated name to be more descriptive, by using the CLI:
FGT # config vpn certificate ca
FGT (ca) # rename CA_Cert_1 to Example-CA
FGT (ca) # end
Next, create the LDAP object that will be used to retrieve the CRLs. For this we require the full LDAP path where the CRL is located. This can be obtained by the following means:
- The CA administrator
- The CA website
- The CRL file itself
- An issued certificate from that CA
If you have the CRL file, you can import it directly by choosing Local PC in the System, Certificates, CRL page. Then, go to view it and you should see the LDAP location (as seen in the verification section further below).
| Here is a screenshot of the CRL location, from a webserver certificate | Here is a screenshot of the CRL location, from a CRL file |
 |  |
NOTE: If you select the highlighted section above, you can copy and paste it by using Control-C.
In this case, the CRL path is:
CN=Example%20Root%20Authority,CN=vsrvz-svb25,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=example,DC=org
However, we must replace each "%20" instance with a space, which yields this CRL path:
CN=Example Root Authority,CN=vsrvz-svb25,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=org
Using the GUI, go to User&Device, Authentication, LDAP servers, and click "Create New." Provide the LDAP server information, and the Distinguished Name is the path above. The Bind Type can be left to the default (Simple,) as the LDAP account information will be provided in the CRL section.
config user ldap
edit "LDAP-CRL"
set server "10.150.0.55"
set cnid "cn"
set dn "CN=Example Root Authority,CN=vsrvz-svb25,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=org"
set port 636
set secure ldaps
set ca-cert "Example-CA"
next
endIf you imported the CRL, you must edit the entry and select the LDAP server and enter the fully qualified LDAP username and password.
You can also create the CRL entry via the CLI:
config vpn certificate crl
edit "CRL_1"
set ldap-server "LDAP-CRL"
set ldap-username "CN=LDAP account,CN=Users,DC=example,DC=org"
set ldap-password <the-password>
next
endOnce the CRL entry has been created, you can adjust the update interval via the CLI. The example below shows CRL updates being done every 24 hours.
config vpn certificate crl
edit "CRL_1"
set update-interval 86400
next
end
You can also rename the system generated name to something more descriptive, using the CLI:
FGT # config vpn certificate crl
FGT (crl) # rename CRL_1 to vsrvz-svb25-CRL
FGT (crl) # end
FGT #
Verification
The CRL should show something under Subject:
If you select the certificate and choose "View Certificate Detail", you should see lots of CRL details:
Using the CLI, the "crl" field should be populated, as seen below:
FGT # config vpn certificate crl
FGT (crl) # edit vsrvz-svb25-CRL
FGT (vsrvz-svb25-CRL) # get
name : vsrvz-svb25-CRL
crl :issuer: /CN=Example Root Authority
last update: 2014-09-02 19:53:15 GMT
next update: 2014-09-10 08:13:15 GMT
version: 2
Serial Num:
21:fb:7f:69:00:00:00:00:00:07
Extensions:
Name: X509v3 Authority Key Identifier
Critical: no
Content:
keyid:97:B3:01:66:A9:C9:AA:CA:57:DF:69:D6:F5:7E:27:51:16:37:2E:3E
Name: 1.3.6.1.4.1.311.21.1
Critical: no
Content:
...
Name: X509v3 CRL Number
Critical: no
Content:
15
Name: 1.3.6.1.4.1.311.21.4
Critical: no
Content:
140909200315Z .
Name: X509v3 Freshest CRL
Critical: no
Content:
Full Name:
URI:ldap:///CN=Example%20Root%20Authority,CN=vsrvz-svb25,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=example,DC=org?deltaRevocationList?base?objectClass=cRLDistributionPoint
http-url :
ldap-server : LDAP-CRL
scep-cert : Fortinet_Firmware
scep-url :
source-ip : 0.0.0.0
update-interval : 86400
update-vdom : root
ldap-password : *
ldap-username : CN=LDAP account,CN=Users,DC=example,DC=org
FGT (vsrvz-svb25-CRL) # end
Troubleshooting
In the case of CRL update failures, a packet capture of the LDAP server is required to determine the reason for the failure. If LDAPS or STARTTLS is enabled, it may be necessary to temporarily remove the encryption so the LDAP query and response can be seen. Additionally, troubleshooting may need to be performed on the LDAP server itself.
Failed CRL update log message:
date=2014-09-09 time=00:28:49 logid=0101041990 type=event subtype=vpn level=information vd="root" action="alert" cert-type=CRL status="failure" name="vsrvz-svb25-CRL" method="LDAP" msg="Certificate update failed"
Successful CRL update log message:
date=2014-09-09 time=00:29:40 logid=0101041987 type=event subtype=vpn level=information vd="root" action="info" cert-type=CRL status="success" name="vsrvz-svb25-CRL" method="LDAP" msg="A certificate is updated"
