Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pciurea
Staff
Staff

Created on ‎11-28-2024 05:22 AM

Article Id 360913

Technical Tip: Importing Different CRLs from same issuer

Description This article describes FortiOS behavior when trying to import/use Different CRLs from the same issuer.
Scope FortiGate.
Solution

Importing/using different CRLs from the same issuer is not supported in current FortiOS releases v7.0.x, v7.2.x, v7.4.x, and v7.6.x.

Example for GUI: Importing both base CRL and delta CRL, FortiGate GUI shows only the base CRL in System / Certificates / CRL, and not the delta CRL.

 

Example for non-working CLI configuration:

 

config vpn certificate crl
    edit "CRL_1"
        set range global
        set http-url "http://testcrl.domain.de/certenroll/crltestca(1).crl"
    next
    edit "CRL_2"
        set range global
        set http-url "http://testcrl.domain.de/certenroll/crltestca(1)+.crl"
    next
end

 

Although the configuration is accepted for both the base CRL and delta CRL (crltestca(1)+.crl), enabling crl_update debugging will return the 'CRL with same issuer exists' error:

 

diag debug application crl-update -1

diag debug enable

 

Daemon will show:

 

__http_recv()-407: save(CRL_2) vfid 0 failed: CRL with same issuer exists
crl_update_result()-247: HTTP result=10: CRL with same issuer exists
186
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.