Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
edyrmishi
Staff
Staff

Created on ‎11-06-2025 01:28 AM Edited on ‎11-06-2025 01:29 AM By Community Manager

Article Id 417946

Technical Tip: Configuring CRL Check for Dialup IPsec VPN with Certificate Authentication Using FortiAuthenticator as the CRL Provider

Description

This article describes how to configure Certificate Revocation List (CRL) checks for dial-up IPsec VPN users authenticated with certificates on a FortiGate. Both file-based CRL import and online CRL updating methods are covered. In this setup, FortiAuthenticator serves as the CRL provider.
Scope FortiGate, FortiAuthenticator.
Solution

Prerequisites:

  • A fully functional dial-up IPsec VPN with certificate-based authentication.
  • The CA certificate of the CRL provider was imported into the FortiGate as a trusted CA certificate.

 

Note:

If the CA certificate of the CRL provider is not imported into the FortiGate, the system will display an error when attempting to import the CRL.

 

photo1.png

 

  1. Importing the CRL Using the File-Based (Manual) Method: 
  • On the FortiAuthenticator, go under Certificate Management -> Certificate Authorities -> CRLs -> Local CA -> Select -> Export. A .crl file is now downloaded on the local machine.
  • On the FortiGate: go under System -> Certificates -> Create/Import -> CRL -> Import Method: File Based -> Upload.

 

The downloaded .crl file should be selected and uploaded. Once imported, the CRL will appear in the Certificates -> CRL section. Double-clicking the entry will display the list of revoked certificate serial numbers.

 

  1. Importing the CRL Using the Online Updating Method:
  • On the FortiAuthenticator, CRL downloads on the interface that will receive requests from the FortiGate must be enabled: go to Network -> Interfaces -> Edit (selected interface) -> Services -> Enable HTTP/HTTPS -> Enable CRL Downloads.

 

photo2.png

 

Before configuring the FortiGate, it is recommended to verify the CRL URL in a web browser. A properly configured URL should automatically download the CRL file when accessed.

 

Correct URL Format: 'http://<FortiAuthenticator_Interface_IP_Address>/app/cert/crl/<rootCA>.crl'.

 

On the FortiGate: go under System -> Certificates -> Create/Import -> CRL -> Import Method: Online Updating -> HTTP -> URL.

 

The verified URL must be entered. The imported CRL will now appear in the Certificates -> CRL section.

 

CLI Configuration Example:

 

config vpn certificate crl
      edit "CRL_1"
            set range global
            set http-url "http://<FortiAuthenticator_Interface_IP_Address>/app/cert/crl/<rootCA>.crl"
            set update-interval 10
      next
end

 

Note:

A low update interval ensures the CRL remains current.

 

config vpn certificate crl
      edit {name}
            set update-interval <in seconds>
      end
end

 

Verification Examples:

 

Successful Login (Certificate Not Revoked):

  • Certificate SN: 38F43FF76508AF58
  • Subject: CN=UserCert7
  • Not present in the imported CRL.

 

photo4.png

 

Revoked Certificates List (FortiGate CRL):

 

photo5.png

 

Debug output:

 

photo3.png

 

Failed Login (Certificate Revoked):
  • Certificate SN: 713AAF4C804E68E7
  • Subject: CN=UserCert3
  • Present in the imported CRL.

photo6.png

 

Debug output:

 

photo7.png
49
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.