Description | This article describes FortiOS behavior when trying to import/use Different CRLs from the same issuer. |
Scope | FortiGate. |
Solution |
Importing/using different CRLs from the same issuer is not supported in current FortiOS releases v7.0.x, v7.2.x, v7.4.x, and v7.6.x. Example for GUI: Importing both base CRL and delta CRL, FortiGate GUI shows only the base CRL in System / Certificates / CRL, and not the delta CRL.
Example for non-working CLI configuration:
config vpn certificate crl
Although the configuration is accepted for both the base CRL and delta CRL (crltestca(1)+.crl), enabling crl_update debugging will return the 'CRL with same issuer exists' error:
diag debug application crl-update -1 diag debug enable
Daemon will show:
__http_recv()-407: save(CRL_2) vfid 0 failed: CRL with same issuer exists |