Prerequisites:

• A fully functional dial-up IPsec VPN with certificate-based authentication.
• The CA certificate of the CRL provider was imported into the FortiGate as a trusted CA certificate.

Note:

If the CA certificate of the CRL provider is not imported into the FortiGate, the system will display an error when attempting to import the CRL.

This error will not appear when using the Online Updating Method. Although the configuration will be visible in the CLI, the setup is not functional if the CRL does not show up under Certificates → CRL shortly after the configuration is applied, and the CRL check will not work. If the CRL cannot be imported, the first step is to verify that the correct CA certificate for the CRL provider has been successfully imported into the FortiGate.

1. Importing the CRL Using the File-Based (Manual) Method: 

• On the FortiAuthenticator, go under Certificate Management -> Certificate Authorities -> CRLs -> Local CA -> Select -> Export. A .crl file is now downloaded on the local machine.
• On the FortiGate: go under System -> Certificates -> Create/Import -> CRL -> Import Method: File Based -> Upload.

The downloaded .crl file should be selected and uploaded. Once imported, the CRL will appear in the Certificates -> CRL section. Double-clicking the entry will display the list of revoked certificate serial numbers.

2. Importing the CRL Using the Online Updating Method:

On the FortiAuthenticator, CRL downloads on the interface that will receive requests from the FortiGate must be enabled: go to Network -> Interfaces -> Edit (selected interface) -> Services -> Enable HTTP/HTTPS -> Enable CRL Downloads.

Before configuring the FortiGate, it is recommended to verify the CRL URL in a web browser. A properly configured URL should automatically download the CRL file when accessed.

Correct URL Format: 'http://<FortiAuthenticator_Interface_IP_Address>/app/cert/crl/<rootCA>.crl'.

On the FortiGate: go under System -> Certificates -> Create/Import -> CRL -> Import Method: Online Updating -> HTTP -> URL.

The verified URL must be entered. The imported CRL will now appear in the Certificates -> CRL section.

CLI Configuration Example:

config vpn certificate crl
    edit "CRL_1"
        set range global
        set http-url "http://<FortiAuthenticator_Interface_IP_Address>/app/cert/crl/<rootCA>.crl"
        set update-interval 10
    next
end

Note:

A low update interval ensures the CRL remains current.

config vpn certificate crl
    edit {name}
        set update-interval <in seconds>
        end
end

Verification Examples:

Successful Login (Certificate Not Revoked):

• Certificate SN: 38F43FF76508AF58
• Subject: CN=UserCert7
• Not present in the imported CRL.

• Certificate SN: 713AAF4C804E68E7
• Subject: CN=UserCert3
• Present in the imported CRL.