Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiNet_Newb
Contributor

SSL VPN - Machines with Revoked Certificates can still Connect

We are using a SSL VPN with users authenticating against AD with LDAPS.  I have enabled the "Require client certificate" option in the VPN SSL Settings.  I have installed the root certificate from our internal CA on the Fortigate and have installed "Workstation Authentication" certificates from our internal CA on all of our client machines and checked the box to "Allow Non-Administrators to Use Machine Certificates" in the EMS deployed SSL VPN Client Profile.  This is all working perfectly and clients are able to connect successfully.  The issue I am having is that if I revoke one of the machine certificates from our internal CA, the machine can still connect successfully.  I would have expected a machine without a valid certificate from our CA to be denied.

 

I have configured the CRL on the Fortigate to auto check the internal CA's CRL.  If I check the CRL on the Fortigate under System -> Certificates -> CRL, it shows that it is connected successfully and I can actually see the revoked certificate in the CRL list there, so it appears to be accurate and functioning correctly.

 

I'm using FortiOS 7.06, FortiEMS 7.06, and FortiClient 7.06.  I checked known issues for each of those releases and can't find any bugs related to this.  What am I doing wrong?

 

Thanks!

1 Solution
FortiNet_Newb
Contributor

I think I got it figured out.  It was not a Fortinet issue, I'm just .  Did some testing today with the client and it appears to be working correctly.  The issue was me simply not allowing enough time for the CRL to publish.  I had incorrectly assumed that once you revoke a certificate, Windows would immediately publish the updated CRL.  However, this is not the case, you must manually publish the updated CRL afterwards by either by right clicking revoked certificates -> All Tasks -> Publish, or by running the "certutil -CRL" command, on the certificate server to force the publication, otherwise it won't update until its next scheduled update interval, which by default is one day.  Sorry guys.

View solution in original post

3 REPLIES 3
gfleming
Staff
Staff

are you sure the clients are using the machine cert? Is it possible they are selecting a user cert?

Cheers,
Graham
FortiNet_Newb
Contributor

They are definitely selecting a computer certificate.  

FortiNet_Newb
Contributor

I think I got it figured out.  It was not a Fortinet issue, I'm just .  Did some testing today with the client and it appears to be working correctly.  The issue was me simply not allowing enough time for the CRL to publish.  I had incorrectly assumed that once you revoke a certificate, Windows would immediately publish the updated CRL.  However, this is not the case, you must manually publish the updated CRL afterwards by either by right clicking revoked certificates -> All Tasks -> Publish, or by running the "certutil -CRL" command, on the certificate server to force the publication, otherwise it won't update until its next scheduled update interval, which by default is one day.  Sorry guys.

Labels
Top Kudoed Authors