Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
zzarrouk
Staff
Staff

Created on ‎07-01-2019 05:11 AM Edited on ‎11-23-2021 12:21 AM By Community Manager

Article Id 190669

Technical Tip: FortiGate strict CRL check

Description

This article describes how to make the FortiGate denies access to a website having a revoked certificate.
 
Useful links:
 
 - Fortinet Documentation here.


Solution

By keeping the default configuration, the FortiGate allows access to external resources possessing revoked certificate.


FortiGate does not perform a strict CRL check by default.

 
The following configuration will make the FortiGate perform a strict CRL check:
config vpn certificate setting
    set ocsp-status enable
    set ssl-ocsp-status enable
    set ssl-ocsp-option certificate
    set strict-crl-check enable
    set strict-ocsp-check enable
end
In order to test the configuration, access here.
Labels:
8707
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.