Online updates to certificates and CRLs
Online updates to certificates and CRLs
If you obtained your local or CA certificate using SCEP, you can configure online renewal of the certificate before it expires. Similarly, you can receive online updates to CRLs.
Local certificates
In the config vpn certificate local command, you can specify automatic certificate renewal. The relevant fields are:
scep-url <URL_str> The URL of the SCEP server. This can be HTTP or HTTPS. The following options appear after you add the <URL_str>.
scep-password <password_str> The password for the SCEP server.
auto-regenerate-days <days_
int>
How many days before expiry the FortiGate unit requests an updated local certificate. The default is 0, no auto-update.
auto-regenerate-days-warning
<days_int>
How many days before local certificate expiry the FortiGate gen- erates a warning message. The default is 0, no warning.
In this example, an updated certificate is requested three days before it expires.
config vpn certificate local edit mycert
set scep-url http://scep.example.com/scep set scep-server-password my_pass_123
set auto-regenerate-days 3
set auto-regenerate-days-warning 2 end
CA certificates
In the config vpn certificate ca command, you can specify automatic certificate renewal. The relevant fields are:
Variable Description
scep-url <URL_str> The URL of the SCEP server. This can be HTTP or HTTPS.
Variable Description
auto-update-days <days_int> How many days before expiry the FortiGate unit requests an updated CA certificate. The default is 0, no auto-update.
auto-update-days-warning
<days_int>
How many days before CA certificate expiry the FortiGate gen- erates a warning message. The default is 0,no warning.
In this example, an updated certificate is requested three days before it expires.
config vpn certificate ca edit mycert
set scep-url http://scep.example.com/scep set auto-update-days 3
set auto-update-days-warning 2 end
Certificate Revocation Lists
If you obtained your CRL using SCEP, you can configure online updates to the CRL using the config vpn certificate crl command. The relevant fields are:
Variable Description
http-url <http_url> URL of the server used for automatic CRL certificate updates.
This can be HTTP or HTTPS.
scep-cert <scep_certificate> Local certificate used for SCEP communication for CRL auto- update.
scep-url <scep_url> URL of the SCEP CA server used for automatic CRL certificate updates. This can be HTTP or HTTPS.
update-interval <seconds>
How frequently, in seconds, the FortiGate unit checks for an updated CRL. Enter 0 to update the CRL only when it expires. Not available for http URLs.
update-vdom <update_vdom> VDOM used to communicate with remote SCEP server for CRL
auto-update.
In this example, an updated CRL is requested only when it expires.
config vpn certificate crl edit cert_crl
set http-url http://scep.example.com/scep set scep-cert my-scep-cert
set scep-url http://scep.ca.example.com/scep set update-interval 0
set update-vdom root end
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos
Hi Mike,
how can I request (first time) certificate from scep server, I want to set up an ipsec tunnel between fortigates with certificates.
Maybe you have some cli commands / recommendations for me ? thanks
Piccolo,
You are wanting the FortiGate to request the cert for authentication and authorization purposes? Or do you want to generate a cert on the SCEP server in order to setup the tunnel later?
Hi,
i would like that the fortigate unit requests the certificate from the scep server.
Cert is used for the ipsec tunnel (site2site)
thanks
Piccolo,
Are you still running 5.2.x code?
HI,
I am running 5.4.1, thanks
Piccolo,
If you check out THIS LINK HERE and go to page 702 you will see where you can set these settings to your liking. Let me know if you have any questions or concerns!
thanks, I will try it the next day and will keep you up2date.
Regards
Thanks so much Piccolo! I look forward to hearing if you were able to solve your problem. If not, let me know what snags you hit and we can figure something out!
cool, 10 virtual beers for your patience
Hi Mike ,
got it working with a microsoft 2012r2 enterprise ca with Network Device Enrollment Services with no issues
Do you know what happens with a ipsec tunnel with certificates if the crl is not valid and the unit can not retrieve the crl ?
can i manually install the certificate, and then make the renewal of the certificate with scep ?
have you seen ipsec site2sites deployments with certificates ? any doubt ?
Thanks
Piccolo,
I’m not sure on some of your questions so I have reached out to my engineer @ Fortinet. Most site 2 site deployments of VPN’s I have seen are without certificates. They usually utilize a pre-shared key.
what has priority with the crl download ?
http or scep.
if scep is not avaiable, will it then try scep or vice versa ?
thanks
Hi Mike,
got OCSP with Microsoft Ca working
for SCEP Certificate renewals I have followed this link http://www.petenetlive.com/KB/Article/0000947
-Piccolo
Awesome! That makes me happy to hear!
Fortinet SE was telling me they can’t use https only http. Did you get https to work?