FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pciurea
Staff
Staff
Article Id 360913
Description This article describes FortiOS behavior when trying to import/use Different CRLs from the same issuer.
Scope FortiGate.
Solution

Importing/using different CRLs from the same issuer is not supported in current FortiOS releases v7.0.x, v7.2.x, v7.4.x, and v7.6.x.

Example for GUI: Importing both base CRL and delta CRL, FortiGate GUI shows only the base CRL in System / Certificates / CRL, and not the delta CRL.

 

Example for non-working CLI configuration:

 

config vpn certificate crl
    edit "CRL_1"
        set range global
        set http-url "http://testcrl.domain.de/certenroll/crltestca(1).crl"
    next
    edit "CRL_2"
        set range global
        set http-url "http://testcrl.domain.de/certenroll/crltestca(1)+.crl"
    next
end

 

Although the configuration is accepted for both the base CRL and delta CRL (crltestca(1)+.crl), enabling crl_update debugging will return the 'CRL with same issuer exists' error:

 

diag debug application crl-update -1

diag debug enable

 

Daemon will show:

 

__http_recv()-407: save(CRL_2) vfid 0 failed: CRL with same issuer exists
crl_update_result()-247: HTTP result=10: CRL with same issuer exists