Online updates to certificates and CRLs

Online updates to certificates and CRLs

If you obtained your local or CA certificate using SCEP, you can configure online renewal of the certificate before it expires. Similarly, you can receive online updates to CRLs.

 

Local certificates

In the config vpn certificate local command, you can specify automatic certificate renewal. The relevant fields are:

scep-url <URL_str>             The URL of the SCEP server. This can be HTTP or HTTPS. The following options appear after you add the <URL_str>.

scep-password <password_str>  The password for the SCEP server.

auto-regenerate-days <days_

int>

How many days before expiry the FortiGate unit requests an updated local certificate. The default is 0, no auto-update.

auto-regenerate-days-warning

<days_int>

How many days before local certificate expiry the FortiGate gen- erates a warning message. The default is 0, no warning.

In this example, an updated certificate is requested three days before it expires.

config vpn certificate local edit mycert

set scep-url http://scep.example.com/scep set scep-server-password my_pass_123

set auto-regenerate-days 3

set auto-regenerate-days-warning 2 end

 

CA certificates

In the config vpn certificate ca command, you can specify automatic certificate renewal. The relevant fields are:

 

Variable                                                    Description

scep-url <URL_str>             The URL of the SCEP server. This can be HTTP or HTTPS.

 

Variable                                                    Description

auto-update-days <days_int>   How many days before expiry the FortiGate unit requests an updated CA certificate. The default is 0, no auto-update.

auto-update-days-warning

<days_int>

How many days before CA certificate expiry the FortiGate gen- erates a warning message. The default is 0,no warning.

In this example, an updated certificate is requested three days before it expires.

config vpn certificate ca edit mycert

set scep-url http://scep.example.com/scep set auto-update-days 3

set auto-update-days-warning 2 end

 

Certificate Revocation Lists

If you obtained your CRL using SCEP, you can configure online updates to the CRL using the config vpn certificate crl command. The relevant fields are:

 

Variable                                                    Description

http-url <http_url>            URL of the server used for automatic CRL certificate updates.

This can be HTTP or HTTPS.

scep-cert <scep_certificate>  Local certificate used for SCEP communication for CRL auto- update.

scep-url <scep_url>            URL of the SCEP CA server used for automatic CRL certificate updates. This can be HTTP or HTTPS.

update-interval <seconds>

How frequently, in seconds, the FortiGate unit checks for an updated CRL. Enter 0 to update the CRL only when it expires. Not available for http URLs.

update-vdom <update_vdom>      VDOM used to communicate with remote SCEP server for CRL

auto-update.

In this example, an updated CRL is requested only when it expires.

config vpn certificate crl edit cert_crl

set http-url http://scep.example.com/scep set scep-cert my-scep-cert

set scep-url http://scep.ca.example.com/scep set update-interval 0

set update-vdom root end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

14 thoughts on “Online updates to certificates and CRLs

  1. Hi Mike,

    how can I request (first time) certificate from scep server, I want to set up an ipsec tunnel between fortigates with certificates.
    Maybe you have some cli commands / recommendations for me ? thanks

  2. Hi Mike ,

    got it working with a microsoft 2012r2 enterprise ca with Network Device Enrollment Services with no issues

    Do you know what happens with a ipsec tunnel with certificates if the crl is not valid and the unit can not retrieve the crl ?

    can i manually install the certificate, and then make the renewal of the certificate with scep ?

    have you seen ipsec site2sites deployments with certificates ? any doubt ?
    Thanks

    • Piccolo,

      I’m not sure on some of your questions so I have reached out to my engineer @ Fortinet. Most site 2 site deployments of VPN’s I have seen are without certificates. They usually utilize a pre-shared key.

  3. what has priority with the crl download ?
    http or scep.

    if scep is not avaiable, will it then try scep or vice versa ?

    thanks

  4. Hi Mike,
    got OCSP with Microsoft Ca working
    for SCEP Certificate renewals I have followed this link http://www.petenetlive.com/KB/Article/0000947

    -Piccolo

Leave a Reply

Name *
Email *
Website