FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dalten
Staff
Staff
Article Id 197088
Purpose
This articles will show the configuration necessary to enable CRL updates using LDAP, in a Microsoft CA environment.

Expectations, Requirements
The following information is required:
  • CA certificate file
  • CRL file (optional)
  • LDAP server addresses or DNS names to be used for retrieving the CRL
  • LDAP server username and password for connectivity (required by Microsoft Active Directory)
  • LDAP object location where the CRL is stored

Configuration
Using the GUI, go to System, Config, Features, and make sure you have "Certificates" enabled.
Import the CA file. This is performed under System, Config, Certificates. You can rename the system generated name to be more descriptive, by using the CLI:

FGT # config vpn certificate ca
FGT (ca) # rename CA_Cert_1 to Example-CA
FGT (ca) # end

Next, create the LDAP object that will be used to retrieve the CRLs. For this we require the full LDAP path where the CRL is located. This can be obtained by the following means:
  • The CA administrator
  • The CA website
  • The CRL file itself
  • An issued certificate from that CA

If you have the CRL file, you can import it directly by choosing Local PC in the System, Certificates, CRL page. Then, go to view it and you should see the LDAP location (as seen in the verification section further below).

Here is a screenshot of the CRL location, from a webserver certificateHere is a screenshot of the CRL location, from a CRL file
dalten_FD35052_example-crl.PNG
dalten_FD35052_example-crl2.PNG


NOTE: If you select the highlighted section above, you can copy and paste it by using Control-C.

In this case, the CRL path is:
CN=Example%20Root%20Authority,CN=vsrvz-svb25,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=example,DC=org

However, we must replace each "%20" instance with a space, which yields this CRL path:
CN=Example Root Authority,CN=vsrvz-svb25,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=org

Using the GUI, go to User&Device, Authentication, LDAP servers, and click "Create New." Provide the LDAP server information, and the Distinguished Name is the path above. The Bind Type can be left to the default (Simple,) as the LDAP account information will be provided in the CRL section.

dalten_FD35052_LDAP-CRL.PNG

config user ldap
    edit "LDAP-CRL"
        set server "10.150.0.55"
        set cnid "cn"
        set dn "CN=Example Root Authority,CN=vsrvz-svb25,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=org"
        set port 636
        set secure ldaps
        set ca-cert "Example-CA"
    next
end
If you imported the CRL, you must edit the entry and select the LDAP server and enter the fully qualified LDAP username and password.

dalten_FD35052_update-crl.PNG


You can also create the CRL entry via the CLI:

config vpn certificate crl
    edit "CRL_1"
        set ldap-server "LDAP-CRL"
        set ldap-username "CN=LDAP account,CN=Users,DC=example,DC=org"
        set ldap-password <the-password>
    next
end
Once the CRL entry has been created, you can adjust the update interval via the CLI. The example below shows CRL updates being done every 24 hours.

config vpn certificate crl
    edit "CRL_1"
        set update-interval 86400
    next
end

You can also rename the system generated name to something more descriptive, using the CLI:

FGT # config vpn certificate crl
FGT (crl) # rename CRL_1 to vsrvz-svb25-CRL
FGT (crl) # end
FGT #


Verification
The CRL should show something under Subject:

dalten_FD35052_CRL-verification1.PNG


If you select the certificate and choose "View Certificate Detail", you should see lots of CRL details:

dalten_FD35052_CRL-verification2.PNG


Using the CLI, the "crl" field should be populated, as seen below:

FGT # config vpn certificate crl

FGT (crl) # edit vsrvz-svb25-CRL

FGT (vsrvz-svb25-CRL) # get
name                : vsrvz-svb25-CRL
crl                 :
        issuer:      /CN=Example Root Authority
        last update: 2014-09-02 19:53:15  GMT
        next update: 2014-09-10 08:13:15  GMT
        version:     2
        Serial Num:
                21:fb:7f:69:00:00:00:00:00:07
        Extensions:
                Name:     X509v3 Authority Key Identifier
                Critical: no
                Content:
                keyid:97:B3:01:66:A9:C9:AA:CA:57:DF:69:D6:F5:7E:27:51:16:37:2E:3E

                Name:     1.3.6.1.4.1.311.21.1
                Critical: no
                Content:
                ...

                Name:     X509v3 CRL Number
                Critical: no
                Content:
                15

                Name:     1.3.6.1.4.1.311.21.4
                Critical: no
                Content:
140909200315Z   .

                Name:     X509v3 Freshest CRL
                Critical: no
                Content:

Full Name:
  URI:ldap:///CN=Example%20Root%20Authority,CN=vsrvz-svb25,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=example,DC=org?deltaRevocationList?base?objectClass=cRLDistributionPoint


http-url            :
ldap-server         : LDAP-CRL
scep-cert           : Fortinet_Firmware
scep-url            :
source-ip           : 0.0.0.0
update-interval     : 86400
update-vdom         : root
ldap-password       : *
ldap-username       : CN=LDAP account,CN=Users,DC=example,DC=org

FGT (vsrvz-svb25-CRL) # end


Troubleshooting
In the case of CRL update failures, a packet capture of the LDAP server is required to determine the reason for the failure. If LDAPS or STARTTLS is enabled, it may be necessary to temporarily remove the encryption so the LDAP query and response can be seen. Additionally, troubleshooting may need to be performed on the LDAP server itself.

Failed CRL update log message:
date=2014-09-09 time=00:28:49 logid=0101041990 type=event subtype=vpn level=information vd="root" action="alert" cert-type=CRL status="failure" name="vsrvz-svb25-CRL" method="LDAP" msg="Certificate update failed"

Successful CRL update log message:
date=2014-09-09 time=00:29:40 logid=0101041987 type=event subtype=vpn level=information vd="root" action="info" cert-type=CRL status="success" name="vsrvz-svb25-CRL" method="LDAP" msg="A certificate is updated"


Contributors