Fortinet black logo

OCSP Stapling Guide

Home FortiADC 5.4.0 OCSP Stapling Guide

Deployment

5.4.0
6.1.0
5.4.1
5.4.0
5.3.0
Copy Link
Copy Doc ID 16b534ed-49e5-11ea-9384-00505692583a:967708
Download PDF

Deployment

The FortiADC must verify the authenticity of the OCSP responder's SSL certificate. We need to import the Certificate Authority (CA) certificate used to verify the OCSP responder's SSL certificate, or use one of the CA chain certificates.

You should consider using two scenarios under the following condition:

  • The OCSP responder's SSL certificate is signed directly by certificate and you have it.
  • The OCSP responder's SSL certificate is signed by one of the certificate in the full CA chain and you don't have it.

Once you know the server cert and CA are correct and you can connect to the correct OCSP responde. Now it time to setup the FortiADC.

Scenario 1 –The OCSP responder's SSL certificate is signed directly by the certificate which is in your possession

This scenario assumes you have the certificate that is the OCSP responder certificate to sign responses with.

1. Topology

2. Importing the OCSP signing certificates

  1. Go to System > Certificate->Verify then click the tab OCSP Signing Certificates
  2. Click +Import to display the configuration editor
  3. Type a name for the certificate in the text box.
  4. Click Choose File and browse to the file on your computer for OCSP Signing Certificates.
  5. Save the configuration.

3. Adding OCSPs

  1. Go to System > Certificate->Verify then click the tab OCSP
  2. Click Create New to display the configuration editor.

  3. Complete the key configuration as shown below.

    Name

    Enter a unique name for the OCSP profile

    OCSP URL

    Specify the URL of the OCSP Responder.

    Verify Others

    The default is enabled, you must select an OCSP Signing Certificate.
    OCSP Signing Certificates Selected OCSP signing certificate matches the OCSP response signature.
  4. Save the configuration.

4. To configure OCSP stapling

  1. Go to System > Certificate > Manage Certificates then Click the tab “OCSP Stapling
  2. Click +Import to display the configuration editor.

  3. Complete the key configuration as shown below.

    Name

    Enter a unique name for the OCSP stapling.

    Local Certificate

    Select the Virtual Server's SSL certificate to verify revocation status.

    Issuer Certificate

    Select the CA certificate that issued the above local certificate.
    OCSP Select the OCSP profile to add to the OCSP stapling configuration

  4. Click Save to save the configuration.

  5. Check if the OCSP responder's Cert Status is good.

If the query fails, verify that your CA is the same that signed the OCSP responder's certificate. Also verify that the connection between FortiADC and OCSP responder server is reachable. (See Troubleshooting.)

Scenario 2 – The OCSP responder’s SSL certificate is signed by one of th certificates in the full CA chain which is not in your possession

This scenario assumes you do not have the certificate that is the OCSP responder certificate to sign responses with. But you need to have the CA chain from your provider.

1. Topology

2. To import CAs

  1. Go to System > Certificate > Verify then Click the tab “CA
  2. Click +Import to display the configuration editor.
  3. Type a name for the certificate in the text box.
  4. Click the “File” for Import
  5. Click Choose File and browse to the file on your computer for CA.

  6. Save the configuration.

  7. Complete all certificates uploaded in the CA chain.

3. Create a CA group

  1. Go to System > Certificate > Verify then Click the tab “CA Group
  2. Click Create New to display the configuration editor.
  3. Name the CA group and click Save when done. The new CA group appears on the CA Group page
  4. Click the Edit icon in the far-right column to bring up the configuration editor.
  5. Click Create New.
  6. Click the down arrow and select the desired CA from the list menu to add to the group.
  7. Click Save when done.

4. Adding OCSPs

  1. Go to System > Certificate->Verify then click the tab OCSP.
  2. Click Create New to display the configuration editor.

  3. 3. Complete the key configuration as below snapshot.

    Name

    Enter a unique name for the OCSP profile.

    OCSP URL

    Specify the URL of the OCSP Responder.

    Verify Others

    Off, you must use CA chain.
    CA Chain Selected a CA chain that matches the OCSP response signature.
  4. Save the configuration.

5. To configure OCSP stapling

  1. Go to System > Certificate > Manage Certificates then Click the tab “OCSP Stapling
  2. Click +Import to display the configuration editor.

  3. Complete the key configuration as shown below.

    Name

    Enter a unique name for the OCSP stapling

    Local Certificate

    Select the Virtual Server's SSL certificate to verify revocation status.

    Issuer Certificate

    Select the CA certificate that issued the above local certificate.
    OCSP Select the OCSP profile to add to the OCSP stapling configuration.

  4. Click Save to save the configuration.

  5. Check if the OCSP responder Cert Status is good.

If the query fails, verify that your CA is the same that signed the OCSP responder's certificate. Also verify that the connection between FortiADC and OCSP responder server is reachable. (See Troubleshooting.)

Apply the settings to VS

1. Create a local certificate group

  1. Go to System > Certificate > Manage Certificates then click the tab Local Certificate Group.
  2. Click Create New to display the configuration editor.
  3. Complete the key configuration as below snapshot.
  4. Enter the Group Name then click Save.
  5. To add Group Members to a Local Certificate Group, click the (edit) icon in the row of the group.
  6. Click Create New to display the configuration editor.

  7. Complete the key configuration as shown below.

    Local Certificate

    Select the certificate that the virtual server will use.

    OCSP Stapling

    Select an OCSP Stapling configuration.
    Intermediated CA Group Select the full CA chain of server certificates to the group.
  8. Click Save to save the configuration

2. Create a Client SSL profile

  1. Go to Server Load Balance > Application Resources then click the tab Client SSL.
  2. Click Create New to display the configuration editor.

  3. 3. Complete the key configuration as shown below.

    Name

    Enter a unique name for the profile.
    Local Certificate Group Select the one that we just added.
  4. Click Save to save the configuration.

3. Link the Client SSL profile to VS

  1. Go to Server Load Balance > Virtual Server then click the tab Virtual Server.
  2. To apply the Client SSL profile to the VS, click the (edit) icon in the row of the virtual servers.
  3. Click tab “General” to display the configuration

  4. Complete the key configuration as shown below.

    Client SSL Profile Select the one that you just added.
  5. Click Save to save the configuration

Previous
Next

Deployment

The FortiADC must verify the authenticity of the OCSP responder's SSL certificate. We need to import the Certificate Authority (CA) certificate used to verify the OCSP responder's SSL certificate, or use one of the CA chain certificates.

You should consider using two scenarios under the following condition:

  • The OCSP responder's SSL certificate is signed directly by certificate and you have it.
  • The OCSP responder's SSL certificate is signed by one of the certificate in the full CA chain and you don't have it.

Once you know the server cert and CA are correct and you can connect to the correct OCSP responde. Now it time to setup the FortiADC.

Scenario 1 –The OCSP responder's SSL certificate is signed directly by the certificate which is in your possession

This scenario assumes you have the certificate that is the OCSP responder certificate to sign responses with.

1. Topology

2. Importing the OCSP signing certificates

  1. Go to System > Certificate->Verify then click the tab OCSP Signing Certificates
  2. Click +Import to display the configuration editor
  3. Type a name for the certificate in the text box.
  4. Click Choose File and browse to the file on your computer for OCSP Signing Certificates.
  5. Save the configuration.

3. Adding OCSPs

  1. Go to System > Certificate->Verify then click the tab OCSP
  2. Click Create New to display the configuration editor.

  3. Complete the key configuration as shown below.

    Name

    Enter a unique name for the OCSP profile

    OCSP URL

    Specify the URL of the OCSP Responder.

    Verify Others

    The default is enabled, you must select an OCSP Signing Certificate.
    OCSP Signing Certificates Selected OCSP signing certificate matches the OCSP response signature.
  4. Save the configuration.

4. To configure OCSP stapling

  1. Go to System > Certificate > Manage Certificates then Click the tab “OCSP Stapling
  2. Click +Import to display the configuration editor.

  3. Complete the key configuration as shown below.

    Name

    Enter a unique name for the OCSP stapling.

    Local Certificate

    Select the Virtual Server's SSL certificate to verify revocation status.

    Issuer Certificate

    Select the CA certificate that issued the above local certificate.
    OCSP Select the OCSP profile to add to the OCSP stapling configuration

  4. Click Save to save the configuration.

  5. Check if the OCSP responder's Cert Status is good.

If the query fails, verify that your CA is the same that signed the OCSP responder's certificate. Also verify that the connection between FortiADC and OCSP responder server is reachable. (See Troubleshooting.)

Scenario 2 – The OCSP responder’s SSL certificate is signed by one of th certificates in the full CA chain which is not in your possession

This scenario assumes you do not have the certificate that is the OCSP responder certificate to sign responses with. But you need to have the CA chain from your provider.

1. Topology

2. To import CAs

  1. Go to System > Certificate > Verify then Click the tab “CA
  2. Click +Import to display the configuration editor.
  3. Type a name for the certificate in the text box.
  4. Click the “File” for Import
  5. Click Choose File and browse to the file on your computer for CA.

  6. Save the configuration.

  7. Complete all certificates uploaded in the CA chain.

3. Create a CA group

  1. Go to System > Certificate > Verify then Click the tab “CA Group
  2. Click Create New to display the configuration editor.
  3. Name the CA group and click Save when done. The new CA group appears on the CA Group page
  4. Click the Edit icon in the far-right column to bring up the configuration editor.
  5. Click Create New.
  6. Click the down arrow and select the desired CA from the list menu to add to the group.
  7. Click Save when done.

4. Adding OCSPs

  1. Go to System > Certificate->Verify then click the tab OCSP.
  2. Click Create New to display the configuration editor.

  3. 3. Complete the key configuration as below snapshot.

    Name

    Enter a unique name for the OCSP profile.

    OCSP URL

    Specify the URL of the OCSP Responder.

    Verify Others

    Off, you must use CA chain.
    CA Chain Selected a CA chain that matches the OCSP response signature.
  4. Save the configuration.

5. To configure OCSP stapling

  1. Go to System > Certificate > Manage Certificates then Click the tab “OCSP Stapling
  2. Click +Import to display the configuration editor.

  3. Complete the key configuration as shown below.

    Name

    Enter a unique name for the OCSP stapling

    Local Certificate

    Select the Virtual Server's SSL certificate to verify revocation status.

    Issuer Certificate

    Select the CA certificate that issued the above local certificate.
    OCSP Select the OCSP profile to add to the OCSP stapling configuration.

  4. Click Save to save the configuration.

  5. Check if the OCSP responder Cert Status is good.

If the query fails, verify that your CA is the same that signed the OCSP responder's certificate. Also verify that the connection between FortiADC and OCSP responder server is reachable. (See Troubleshooting.)

Apply the settings to VS

1. Create a local certificate group

  1. Go to System > Certificate > Manage Certificates then click the tab Local Certificate Group.
  2. Click Create New to display the configuration editor.
  3. Complete the key configuration as below snapshot.
  4. Enter the Group Name then click Save.
  5. To add Group Members to a Local Certificate Group, click the (edit) icon in the row of the group.
  6. Click Create New to display the configuration editor.

  7. Complete the key configuration as shown below.

    Local Certificate

    Select the certificate that the virtual server will use.

    OCSP Stapling

    Select an OCSP Stapling configuration.
    Intermediated CA Group Select the full CA chain of server certificates to the group.
  8. Click Save to save the configuration

2. Create a Client SSL profile

  1. Go to Server Load Balance > Application Resources then click the tab Client SSL.
  2. Click Create New to display the configuration editor.

  3. 3. Complete the key configuration as shown below.

    Name

    Enter a unique name for the profile.
    Local Certificate Group Select the one that we just added.
  4. Click Save to save the configuration.

3. Link the Client SSL profile to VS

  1. Go to Server Load Balance > Virtual Server then click the tab Virtual Server.
  2. To apply the Client SSL profile to the VS, click the (edit) icon in the row of the virtual servers.
  3. Click tab “General” to display the configuration

  4. Complete the key configuration as shown below.

    Client SSL Profile Select the one that you just added.
  5. Click Save to save the configuration

Previous
Next