We are using a SSL VPN with users authenticating against AD with LDAPS. I have enabled the "Require client certificate" option in the VPN SSL Settings. I have installed the root certificate from our internal CA on the Fortigate and have installed "Workstation Authentication" certificates from our internal CA on all of our client machines and checked the box to "Allow Non-Administrators to Use Machine Certificates" in the EMS deployed SSL VPN Client Profile. This is all working perfectly and clients are able to connect successfully. The issue I am having is that if I revoke one of the machine certificates from our internal CA, the machine can still connect successfully. I would have expected a machine without a valid certificate from our CA to be denied.
I have configured the CRL on the Fortigate to auto check the internal CA's CRL. If I check the CRL on the Fortigate under System -> Certificates -> CRL, it shows that it is connected successfully and I can actually see the revoked certificate in the CRL list there, so it appears to be accurate and functioning correctly.
I'm using FortiOS 7.06, FortiEMS 7.06, and FortiClient 7.06. I checked known issues for each of those releases and can't find any bugs related to this. What am I doing wrong?
Thanks!
Solved! Go to Solution.
I think I got it figured out. It was not a Fortinet issue, I'm just . Did some testing today with the client and it appears to be working correctly. The issue was me simply not allowing enough time for the CRL to publish. I had incorrectly assumed that once you revoke a certificate, Windows would immediately publish the updated CRL. However, this is not the case, you must manually publish the updated CRL afterwards by either by right clicking revoked certificates -> All Tasks -> Publish, or by running the "certutil -CRL" command, on the certificate server to force the publication, otherwise it won't update until its next scheduled update interval, which by default is one day. Sorry guys.
are you sure the clients are using the machine cert? Is it possible they are selecting a user cert?
They are definitely selecting a computer certificate.
I think I got it figured out. It was not a Fortinet issue, I'm just . Did some testing today with the client and it appears to be working correctly. The issue was me simply not allowing enough time for the CRL to publish. I had incorrectly assumed that once you revoke a certificate, Windows would immediately publish the updated CRL. However, this is not the case, you must manually publish the updated CRL afterwards by either by right clicking revoked certificates -> All Tasks -> Publish, or by running the "certutil -CRL" command, on the certificate server to force the publication, otherwise it won't update until its next scheduled update interval, which by default is one day. Sorry guys.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.