The certificate authority (CA) store is used to authenticate the certificates of other devices. When the FortiADC system is presented with a certificate, it examines the CA’s signature, comparing it with the copy of the CA’s certificate already imported into the CA store. If the public key matches the private key, the client's or device’s certificate is considered legitimate.
In web browsers, the CA store includes trusted root CAs that can be used to establish trust with servers that have certificates signed by the issuing CAs. In an SSL forward proxy deployment, FortiADC acts as a proxy for the client, so you might want to import client browser CAs, create a CA group, and create a certficate verification policy to verify server certificates against this group. You can examine the CA store in common web browsers to come up with a good list of CAs to download and then import. The following list has links for some common web browsers:
- Apple iOS: https://support.apple.com/en-us/HT204132
- Google Chrome and Mozilla Firefox: https://wiki.mozilla.org/CA:IncludedCAs
- Microsoft Internet Explorer: https://technet.microsoft.com/en-us/library/dn265983.aspx
You must do one of the following:
- Import the certificates of the signing CA and all intermediate CAs to FortiADC’s store of CA certificates.
- In all personal certificates, include the full signing chain up to a CA that FortiADC knows in order to prove that the clients’ certificates should be trusted.
- If the signing CA is not known, that CA’s own certificate must likewise be signed by one or more other intermediary CAs, until both the FortiADC appliance and the client or device can demonstrate a signing chain that ultimately leads to a mutually trusted (shared “root”) CA that they have in common. Like a direct signature by a known CA, this proves that the certificate can be trusted.
Before you begin, you must:
- Have Read-Write permission for System settings.
- Know the URL of an SCEP server or have downloaded the certificate and key files and be able to browse to them so that you can upload them.
To import a CA:
- Go to System > Certificate > Verify.
- Click the CA tab.
- Click Import to display the configuration editor.
- Complete the configuration as described in CA import configuration.
- Click Save when done.
- Repeat Steps 3 through 5 to import as many CAs as needed.
|Certificate Name||Configuration name. Valid characters are
|SCEP URL||Enter the URL of the SCEP server.|
|CA Identifier||Enter the identifier for a specific CA on the SCEP server.|
|Local PC||Browse for the certificate file on the local machine and upload it to FortiADC.|