Online updates to certificates and CRLs

Online updates to certificates and CRLs

If you obtained your local or CA certificate using SCEP, you can configure online renewal of the certificate before it expires. Similarly, you can receive online updates to CRLs.

 

Local certificates

In the config vpn certificate local command, you can specify automatic certificate renewal. The relevant fields are:

scep-url <URL_str>             The URL of the SCEP server. This can be HTTP or HTTPS. The following options appear after you add the <URL_str>.

scep-password <password_str>  The password for the SCEP server.

auto-regenerate-days <days_

int>

How many days before expiry the FortiGate unit requests an updated local certificate. The default is 0, no auto-update.

auto-regenerate-days-warning

<days_int>

How many days before local certificate expiry the FortiGate gen- erates a warning message. The default is 0, no warning.

In this example, an updated certificate is requested three days before it expires.

config vpn certificate local edit mycert

set scep-url http://scep.example.com/scep set scep-server-password my_pass_123

set auto-regenerate-days 3

set auto-regenerate-days-warning 2 end

 

CA certificates

In the config vpn certificate ca command, you can specify automatic certificate renewal. The relevant fields are:

 

Variable                                                    Description

scep-url <URL_str>             The URL of the SCEP server. This can be HTTP or HTTPS.

 

Variable                                                    Description

auto-update-days <days_int>   How many days before expiry the FortiGate unit requests an updated CA certificate. The default is 0, no auto-update.

auto-update-days-warning

<days_int>

How many days before CA certificate expiry the FortiGate gen- erates a warning message. The default is 0,no warning.

In this example, an updated certificate is requested three days before it expires.

config vpn certificate ca edit mycert

set scep-url http://scep.example.com/scep set auto-update-days 3

set auto-update-days-warning 2 end

 

Certificate Revocation Lists

If you obtained your CRL using SCEP, you can configure online updates to the CRL using the config vpn certificate crl command. The relevant fields are:

 

Variable                                                    Description

http-url <http_url>            URL of the server used for automatic CRL certificate updates.

This can be HTTP or HTTPS.

scep-cert <scep_certificate>  Local certificate used for SCEP communication for CRL auto- update.

scep-url <scep_url>            URL of the SCEP CA server used for automatic CRL certificate updates. This can be HTTP or HTTPS.

update-interval <seconds>

How frequently, in seconds, the FortiGate unit checks for an updated CRL. Enter 0 to update the CRL only when it expires. Not available for http URLs.

update-vdom <update_vdom>      VDOM used to communicate with remote SCEP server for CRL

auto-update.

In this example, an updated CRL is requested only when it expires.

config vpn certificate crl edit cert_crl

set http-url http://scep.example.com/scep set scep-cert my-scep-cert

set scep-url http://scep.ca.example.com/scep set update-interval 0

set update-vdom root end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU