Online updates to certificates and CRLs
If you obtained your local or CA certificate using SCEP, you can configure online renewal of the certificate before it expires. Similarly, you can receive online updates to CRLs.
Local certificates
In the config vpn certificate local command, you can specify automatic certificate renewal. The relevant fields are:
scep-url <URL_str> The URL of the SCEP server. This can be HTTP or HTTPS. The following options appear after you add the <URL_str>.
scep-password <password_str> The password for the SCEP server.
auto-regenerate-days <days_
int>
How many days before expiry the FortiGate unit requests an updated local certificate. The default is 0, no auto-update.
auto-regenerate-days-warning
<days_int>
How many days before local certificate expiry the FortiGate gen- erates a warning message. The default is 0, no warning.
In this example, an updated certificate is requested three days before it expires.
config vpn certificate local edit mycert
set scep-url http://scep.example.com/scep set scep-server-password my_pass_123
set auto-regenerate-days 3
set auto-regenerate-days-warning 2 end
CA certificates
In the config vpn certificate ca command, you can specify automatic certificate renewal. The relevant fields are:
Variable Description
scep-url <URL_str> The URL of the SCEP server. This can be HTTP or HTTPS.
Variable Description
auto-update-days <days_int> How many days before expiry the FortiGate unit requests an updated CA certificate. The default is 0, no auto-update.
auto-update-days-warning
<days_int>
How many days before CA certificate expiry the FortiGate gen- erates a warning message. The default is 0,no warning.
In this example, an updated certificate is requested three days before it expires.
config vpn certificate ca edit mycert
set scep-url http://scep.example.com/scep set auto-update-days 3
set auto-update-days-warning 2 end
Certificate Revocation Lists
If you obtained your CRL using SCEP, you can configure online updates to the CRL using the config vpn certificate crl command. The relevant fields are:
Variable Description
http-url <http_url> URL of the server used for automatic CRL certificate updates.
This can be HTTP or HTTPS.
scep-cert <scep_certificate> Local certificate used for SCEP communication for CRL auto- update.
scep-url <scep_url> URL of the SCEP CA server used for automatic CRL certificate updates. This can be HTTP or HTTPS.
update-interval <seconds>
How frequently, in seconds, the FortiGate unit checks for an updated CRL. Enter 0 to update the CRL only when it expires. Not available for http URLs.
update-vdom <update_vdom> VDOM used to communicate with remote SCEP server for CRL
auto-update.
In this example, an updated CRL is requested only when it expires.
config vpn certificate crl edit cert_crl
set http-url http://scep.example.com/scep set scep-cert my-scep-cert
set scep-url http://scep.ca.example.com/scep set update-interval 0
set update-vdom root end
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!