use your CA and revoke that cert. Make the CA list it in CRL list.
Check the CRL list on your CA, or revoked cert, and look for CRLDistibutionPoint URL.
Then you can either export CRL on CA and import it into FortiOS, or set FortiGate to periodically check and refresh CRL list from CA, for example via HTTP.
In FortiOS use GUI or CLI to import, or automatically keep latest CRL.
From CLI point of view it might look like this:
config certificate crl
set http-url "http://yourCA.example.com/cert/crl/example.rootCA.crl"
set update-interval 300
Debug: command bellow, or 'show full certificate crl', or in GUI show or download the CRL list to see revoked certs.
Be aware that GUI overview just shows
first 100 revoked certs, so if the list is expected to be longer then download what FortiGate got from CRL Distribution point or simply download the list to you by following that link and you should be offered with the CRL list file.
diag debug application crl-upodate -1
diag debug enable
To the actual openSSL cert handling . .how about Google something like this from StackOverflow ?https://stackoverflow.com...t-have-the-certificate
post edited by xsilver_FTNT - 2017/07/21 08:41:03