| Description |
This article describes how the server certificates are installed by users in FortiWeb so that FortiWeb can present it to clients visiting the protected website.
But it may happen that if the certificate itself is invalid, users may get the following error in the browser: Error code: SEC_ERROR_REVOKED_CERTIFICATE. |
| Scope | FortiWeb. |
| Solution |
In such a case, to determine if the issue is in the certificate itself or in FortiWeb, the 'certutil' tool may be used to check if the certificate is valid.
First, ask the user to provide the certificate as seen by the user. For example, in Google Chrome, select the icon 'Not secure' next to the URL. Then expand to see the details of the certificate and export it as a local file.
Then run the Windows utility 'certutil' below. It will run both CRL and OCSP revocation checks on the certificate. The result will be saved in the output text file. In this example, the certificate file is 'example.crt'.
certutil -verify –urlfetch example.crt >>verify_example.txt.
Open the output file and look for any errors. If it failed the revocation check, there may be an error like below:
-------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
The tool can also be run in GUI mode by the command below. After the GUI window opens, the option 'CRL” or 'OCSP' can be selected and 'Retrieve' to perform the verification.
certutil -v -url example.crt.
Related document: |
