Online updates to certificates and CRLs

15 Replies

Online updates to certificates and CRLs

If you obtained your local or CA certificate using SCEP, you can configure online renewal of the certificate before it expires. Similarly, you can receive online updates to CRLs.

 

Local certificates

In the config vpn certificate local command, you can specify automatic certificate renewal. The relevant fields are:

scep-url <URL_str>             The URL of the SCEP server. This can be HTTP or HTTPS. The following options appear after you add the <URL_str>.

scep-password <password_str>  The password for the SCEP server.

auto-regenerate-days <days_

int>

How many days before expiry the FortiGate unit requests an updated local certificate. The default is 0, no auto-update.

auto-regenerate-days-warning

<days_int>

How many days before local certificate expiry the FortiGate gen- erates a warning message. The default is 0, no warning.

In this example, an updated certificate is requested three days before it expires.

config vpn certificate local edit mycert

set scep-url http://scep.example.com/scep set scep-server-password my_pass_123

set auto-regenerate-days 3

set auto-regenerate-days-warning 2 end

 

CA certificates

In the config vpn certificate ca command, you can specify automatic certificate renewal. The relevant fields are:

 

Variable                                                    Description

scep-url <URL_str>             The URL of the SCEP server. This can be HTTP or HTTPS.

 

Variable                                                    Description

auto-update-days <days_int>   How many days before expiry the FortiGate unit requests an updated CA certificate. The default is 0, no auto-update.

auto-update-days-warning

<days_int>

How many days before CA certificate expiry the FortiGate gen- erates a warning message. The default is 0,no warning.

In this example, an updated certificate is requested three days before it expires.

config vpn certificate ca edit mycert

set scep-url http://scep.example.com/scep set auto-update-days 3

set auto-update-days-warning 2 end

 

Certificate Revocation Lists

If you obtained your CRL using SCEP, you can configure online updates to the CRL using the config vpn certificate crl command. The relevant fields are:

 

Variable                                                    Description

http-url <http_url>            URL of the server used for automatic CRL certificate updates.

This can be HTTP or HTTPS.

scep-cert <scep_certificate>  Local certificate used for SCEP communication for CRL auto- update.

scep-url <scep_url>            URL of the SCEP CA server used for automatic CRL certificate updates. This can be HTTP or HTTPS.

update-interval <seconds>

How frequently, in seconds, the FortiGate unit checks for an updated CRL. Enter 0 to update the CRL only when it expires. Not available for http URLs.

update-vdom <update_vdom>      VDOM used to communicate with remote SCEP server for CRL

auto-update.

In this example, an updated CRL is requested only when it expires.

config vpn certificate crl edit cert_crl

set http-url http://scep.example.com/scep set scep-cert my-scep-cert

set scep-url http://scep.ca.example.com/scep set update-interval 0

set update-vdom root end

Pages: 1 2

15 thoughts on “Online updates to certificates and CRLs

  1. piccolo

    Hi Mike,

    how can I request (first time) certificate from scep server, I want to set up an ipsec tunnel between fortigates with certificates.
    Maybe you have some cli commands / recommendations for me ? thanks

    Reply
    1. Mike Post author

      Piccolo,

      You are wanting the FortiGate to request the cert for authentication and authorization purposes? Or do you want to generate a cert on the SCEP server in order to setup the tunnel later?

      Reply
      1. piccolo

        Hi,
        i would like that the fortigate unit requests the certificate from the scep server.
        Cert is used for the ipsec tunnel (site2site)

        thanks

        Reply
          2. Mike Post author

            Piccolo,

            If you check out THIS LINK HERE and go to page 702 you will see where you can set these settings to your liking. Let me know if you have any questions or concerns!

          4. Mike Post author

            Thanks so much Piccolo! I look forward to hearing if you were able to solve your problem. If not, let me know what snags you hit and we can figure something out!

  2. piccolo

    Hi Mike ,

    got it working with a microsoft 2012r2 enterprise ca with Network Device Enrollment Services with no issues

    Do you know what happens with a ipsec tunnel with certificates if the crl is not valid and the unit can not retrieve the crl ?

    can i manually install the certificate, and then make the renewal of the certificate with scep ?

    have you seen ipsec site2sites deployments with certificates ? any doubt ?
    Thanks

    Reply
    1. Mike Post author

      Piccolo,

      I’m not sure on some of your questions so I have reached out to my engineer @ Fortinet. Most site 2 site deployments of VPN’s I have seen are without certificates. They usually utilize a pre-shared key.

      Reply
  3. piccolo

    what has priority with the crl download ?
    http or scep.

    if scep is not avaiable, will it then try scep or vice versa ?

    thanks

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.