This articles will show the configuration necessary to enable CRL updates using LDAP, in a Microsoft CA environment.
The following information is required:
CA certificate file
CRL file (optional)
LDAP server addresses or DNS names to be used for retrieving the CRL
LDAP server username and password for connectivity (required by Microsoft Active Directory)
LDAP object location where the CRL is stored
Using the GUI, go to System, Config, Features, and make sure you have "Certificates" enabled. Import the CA file. This is performed under System, Config, Certificates. You can rename the system generated name to be more descriptive, by using the CLI:
FGT # config vpn certificate ca
FGT (ca) # rename CA_Cert_1 to Example-CA
FGT (ca) # end
Next, create the LDAP object that will be used to retrieve the CRLs. For this we require the full LDAP path where the CRL is located. This can be obtained by the following means:
The CA administrator
The CA website
The CRL file itself
An issued certificate from that CA
If you have the CRL file, you can import it directly by choosing Local PC in the System, Certificates, CRL page. Then, go to view it and you should see the LDAP location (as seen in the verification section further below).
Here is a screenshot of the CRL location, from a webserver certificate
Here is a screenshot of the CRL location, from a CRL file
NOTE: If you select the highlighted section above, you can copy and paste it by using Control-C.
In this case, the CRL path is: CN=Example%20Root%20Authority,CN=vsrvz-svb25,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=example,DC=org
However, we must replace each "%20" instance with a space, which yields this CRL path: CN=Example Root Authority,CN=vsrvz-svb25,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=org
Using the GUI, go to User&Device, Authentication, LDAP servers, and click "Create New." Provide the LDAP server information, and the Distinguished Name is the path above. The Bind Type can be left to the default (Simple,) as the LDAP account information will be provided in the CRL section.
config user ldap
set server "10.150.0.55"
set cnid "cn"
set dn "CN=Example Root Authority,CN=vsrvz-svb25,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=org"
set port 636
set secure ldaps
set ca-cert "Example-CA"
If you imported the CRL, you must edit the entry and select the LDAP server and enter the fully qualified LDAP username and password.
You can also create the CRL entry via the CLI:
config vpn certificate crl
set ldap-server "LDAP-CRL"
set ldap-username "CN=LDAP account,CN=Users,DC=example,DC=org"
set ldap-password <the-password>
Once the CRL entry has been created, you can adjust the update interval via the CLI. The example below shows CRL updates being done every 24 hours.
config vpn certificate crl
set update-interval 86400
You can also rename the system generated name to something more descriptive, using the CLI:
FGT # config vpn certificate crl
FGT (crl) # rename CRL_1 to vsrvz-svb25-CRL
FGT (crl) # end
The CRL should show something under Subject:
If you select the certificate and choose "View Certificate Detail", you should see lots of CRL details:
Using the CLI, the "crl" field should be populated, as seen below:
In the case of CRL update failures, a packet capture of the LDAP server is required to determine the reason for the failure. If LDAPS or STARTTLS is enabled, it may be necessary to temporarily remove the encryption so the LDAP query and response can be seen. Additionally, troubleshooting may need to be performed on the LDAP server itself.