Fortinet white logo
Fortinet white logo

CLI Reference

config system certificate certificate_verify

config system certificate certificate_verify

Use this command to manage certificate validation rules.

To be valid, a client certificate must meet the following criteria:

  • Must not be expired or not yet valid
  • Must not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate status protocol (OCSP)
  • Must be signed by a certificate authority (CA) whose certificate you have imported into the FortiADC appliance
  • Must contain a CA field whose value matches a CA’s certificate
  • Must contain an Issuer field whose value matches the Subject field in a CA’s certificate

Certificate validation rules specify the CA certificates to use when validating client certificates, and they specify a CRL and/or OCSP server, if any, to use for certificate revocation checking.

You select a certificate validation configuration object in the profile configuration for a virtual server. If the client presents an invalid certificate during the authentication phase of a SSL/TLS session initiation, the FortiADC system will not allow the connection.

Before you begin:

  • You must have already created a CA group and OCSP or CRL configuration.
  • You must have read-write permission for system settings.

Syntax

config system certificate certificate_verify

edit "verify"

set verify-depth <integer>

set customize-error-ignore <enable/disable>

set ca-ignore-errors <ca_errors>

set cert-ignore-errors <cert_errors>

config group_member

edit 1

set ca-certificate <ca>

set ocsp <ocsp rule>

set crl <crl rule>

next

end

next

end

verify-depth

Specify the depth from the last intermediate CA to the root CA.

customize-error-ignore

Enable or disable "ignore errors".

ca-ignore-errors

Specify the errors on the CA to be ignored. Applicable only when "customize-error-ignore" is enabled.

cert-ignore-errors

Specify the errors on the certificate to be ignored. Applicable only when "customize-error-ignore" is enabled.

Example

FortiADC-VM # config system certificate certificate_verify

FortiADC-VM (certificate_ve~i) # edit "verify"

FortiADC-VM (verify) # set verify-depth

<integer> Verify depth

FortiADC-VM (verify) # set customize-error-ignore

enable enable option

disable disable option

FortiADC-VM (verify) # set ca-ignore-errors

UNABLE_TO_GET_ISSUER_CERT OPENSSL 2

UNABLE_TO_GET_CRL OPENSSL 3

CERT_NOT_YET_VALID OPENSSL 9

CERT_HAS_EXPIRED OPENSSL 10

CRL_NOT_YET_VALID OPENSSL 11

CRL_HAS_EXPIRED OPENSSL 12

DEPTH_ZERO_SELF_SIGNED_CERT OPENSSL 18

SELF_SIGNED_CERT_IN_CHAIN OPENSSL 19

UNABLE_TO_GET_ISSUER_CERT_LOCALLY OPENSSL 20

UNABLE_TO_VERIFY_LEAF_SIGNATURE OPENSSL 21

CERT_CHAIN_TOO_LONG OPENSSL 22

INVALID_CA OPENSSL 24

INVALID_PURPOSE OPENSSL 26

CERT_UNTRUSTED OPENSSL 27

CERT_REJECTED OPENSSL 28

FortiADC-VM (verify) # set cert-ignore-errors

UNABLE_TO_GET_ISSUER_CERT OPENSSL 2

UNABLE_TO_GET_CRL OPENSSL 3

CERT_NOT_YET_VALID OPENSSL 9

CERT_HAS_EXPIRED OPENSSL 10

CRL_NOT_YET_VALID OPENSSL 11

CRL_HAS_EXPIRED OPENSSL 12

DEPTH_ZERO_SELF_SIGNED_CERT OPENSSL 18

SELF_SIGNED_CERT_IN_CHAIN OPENSSL 19

UNABLE_TO_GET_ISSUER_CERT_LOCALLY OPENSSL 20

UNABLE_TO_VERIFY_LEAF_SIGNATURE OPENSSL 21

CERT_CHAIN_TOO_LONG OPENSSL 22

INVALID_CA OPENSSL 24

INVALID_PURPOSE OPENSSL 26

CERT_UNTRUSTED OPENSSL 27

CERT_REJECTED OPENSSL 28

FortiADC-VM (verify) #

config system certificate certificate_verify

config system certificate certificate_verify

Use this command to manage certificate validation rules.

To be valid, a client certificate must meet the following criteria:

  • Must not be expired or not yet valid
  • Must not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate status protocol (OCSP)
  • Must be signed by a certificate authority (CA) whose certificate you have imported into the FortiADC appliance
  • Must contain a CA field whose value matches a CA’s certificate
  • Must contain an Issuer field whose value matches the Subject field in a CA’s certificate

Certificate validation rules specify the CA certificates to use when validating client certificates, and they specify a CRL and/or OCSP server, if any, to use for certificate revocation checking.

You select a certificate validation configuration object in the profile configuration for a virtual server. If the client presents an invalid certificate during the authentication phase of a SSL/TLS session initiation, the FortiADC system will not allow the connection.

Before you begin:

  • You must have already created a CA group and OCSP or CRL configuration.
  • You must have read-write permission for system settings.

Syntax

config system certificate certificate_verify

edit "verify"

set verify-depth <integer>

set customize-error-ignore <enable/disable>

set ca-ignore-errors <ca_errors>

set cert-ignore-errors <cert_errors>

config group_member

edit 1

set ca-certificate <ca>

set ocsp <ocsp rule>

set crl <crl rule>

next

end

next

end

verify-depth

Specify the depth from the last intermediate CA to the root CA.

customize-error-ignore

Enable or disable "ignore errors".

ca-ignore-errors

Specify the errors on the CA to be ignored. Applicable only when "customize-error-ignore" is enabled.

cert-ignore-errors

Specify the errors on the certificate to be ignored. Applicable only when "customize-error-ignore" is enabled.

Example

FortiADC-VM # config system certificate certificate_verify

FortiADC-VM (certificate_ve~i) # edit "verify"

FortiADC-VM (verify) # set verify-depth

<integer> Verify depth

FortiADC-VM (verify) # set customize-error-ignore

enable enable option

disable disable option

FortiADC-VM (verify) # set ca-ignore-errors

UNABLE_TO_GET_ISSUER_CERT OPENSSL 2

UNABLE_TO_GET_CRL OPENSSL 3

CERT_NOT_YET_VALID OPENSSL 9

CERT_HAS_EXPIRED OPENSSL 10

CRL_NOT_YET_VALID OPENSSL 11

CRL_HAS_EXPIRED OPENSSL 12

DEPTH_ZERO_SELF_SIGNED_CERT OPENSSL 18

SELF_SIGNED_CERT_IN_CHAIN OPENSSL 19

UNABLE_TO_GET_ISSUER_CERT_LOCALLY OPENSSL 20

UNABLE_TO_VERIFY_LEAF_SIGNATURE OPENSSL 21

CERT_CHAIN_TOO_LONG OPENSSL 22

INVALID_CA OPENSSL 24

INVALID_PURPOSE OPENSSL 26

CERT_UNTRUSTED OPENSSL 27

CERT_REJECTED OPENSSL 28

FortiADC-VM (verify) # set cert-ignore-errors

UNABLE_TO_GET_ISSUER_CERT OPENSSL 2

UNABLE_TO_GET_CRL OPENSSL 3

CERT_NOT_YET_VALID OPENSSL 9

CERT_HAS_EXPIRED OPENSSL 10

CRL_NOT_YET_VALID OPENSSL 11

CRL_HAS_EXPIRED OPENSSL 12

DEPTH_ZERO_SELF_SIGNED_CERT OPENSSL 18

SELF_SIGNED_CERT_IN_CHAIN OPENSSL 19

UNABLE_TO_GET_ISSUER_CERT_LOCALLY OPENSSL 20

UNABLE_TO_VERIFY_LEAF_SIGNATURE OPENSSL 21

CERT_CHAIN_TOO_LONG OPENSSL 22

INVALID_CA OPENSSL 24

INVALID_PURPOSE OPENSSL 26

CERT_UNTRUSTED OPENSSL 27

CERT_REJECTED OPENSSL 28

FortiADC-VM (verify) #