Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vifi
Staff
Staff

Created on ‎11-25-2025 09:20 AM

Article Id 419504

Technical Tip: FortiProxy and Explicit Web Proxy resigned certificate do not support CRL

Description This article describes that currently FortiProxy and Explicit Web Proxy do not support CRL distribution when resigning the certificate with deep inspection in use.
Scope FortiProxy/Explicit Web Proxy.
Solution

FortiProxy or Explicit Web Proxy is used in order to perform deep packet inspection for traffic going to external sites.

The inspection is performed with a custom CA certificate used in SSL/SSH deep inspection profile.


The issue is that the replacement certificate created by the FortiProxy/Explicit Web Proxy during deep inspection doesn't contain CRL.

As a result, the access to websites is failing.

 

Using curl will show the following error:

 

curl -v --connect-timeout 15 -x http://proxy.tech:8080 https://www.heise.de

 

curl: (35) schannel: next InitializeSecurityContext failed: CRYPT_E_NO_REVOCATION_CHECK (0x80092012) - The revocation function was unable to check revocation for the certificate.

 

Currently, Explicit Web Proxy and FortiProxy resigned certificate do not support CRL.

 

This feature can be requested by raising a New Feature Request (NFR). Contact a local sales representative to submit an NFR.
54
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.