Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 6.1.6 CLI Reference
    6.1.6
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config system certificate certificate_verify

    config system certificate certificate_verify

    Use this command to manage certificate validation rules.

    To be valid, a client certificate must meet the following criteria:

    • Must not be expired or not yet valid
    • Must not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate status protocol (OCSP)
    • Must be signed by a certificate authority (CA) whose certificate you have imported into the FortiADC appliance
    • Must contain a CA field whose value matches a CA’s certificate
    • Must contain an Issuer field whose value matches the Subject field in a CA’s certificate

    Certificate validation rules specify the CA certificates to use when validating client certificates, and they specify a CRL and/or OCSP server, if any, to use for certificate revocation checking.

    You select a certificate validation configuration object in the profile configuration for a virtual server. If the client presents an invalid certificate during the authentication phase of a SSL/TLS session initiation, the FortiADC system will not allow the connection.

    Before you begin:

    • You must have already created a CA group and OCSP or CRL configuration.
    • You must have read-write permission for system settings.

    Syntax

    config system certificate certificate_verify

    edit "verify"

    set verify-depth <integer>

    set customize-error-ignore <enable/disable>

    set ca-ignore-errors <ca_errors>

    set cert-ignore-errors <cert_errors>

    config group_member

    edit 1

    set ca-certificate <ca>

    set ocsp <ocsp rule>

    set crl <crl rule>

    next

    end

    next

    end

    verify-depth

    Specify the depth from the last intermediate CA to the root CA.

    customize-error-ignore

    Enable or disable "ignore errors".

    ca-ignore-errors

    Specify the errors on the CA to be ignored. Applicable only when "customize-error-ignore" is enabled.

    cert-ignore-errors

    Specify the errors on the certificate to be ignored. Applicable only when "customize-error-ignore" is enabled.

    Example

    FortiADC-VM # config system certificate certificate_verify

    FortiADC-VM (certificate_ve~i) # edit "verify"

    FortiADC-VM (verify) # set verify-depth

    <integer> Verify depth

    FortiADC-VM (verify) # set customize-error-ignore

    enable enable option

    disable disable option

    FortiADC-VM (verify) # set ca-ignore-errors

    UNABLE_TO_GET_ISSUER_CERT OPENSSL 2

    UNABLE_TO_GET_CRL OPENSSL 3

    CERT_NOT_YET_VALID OPENSSL 9

    CERT_HAS_EXPIRED OPENSSL 10

    CRL_NOT_YET_VALID OPENSSL 11

    CRL_HAS_EXPIRED OPENSSL 12

    DEPTH_ZERO_SELF_SIGNED_CERT OPENSSL 18

    SELF_SIGNED_CERT_IN_CHAIN OPENSSL 19

    UNABLE_TO_GET_ISSUER_CERT_LOCALLY OPENSSL 20

    UNABLE_TO_VERIFY_LEAF_SIGNATURE OPENSSL 21

    CERT_CHAIN_TOO_LONG OPENSSL 22

    INVALID_CA OPENSSL 24

    INVALID_PURPOSE OPENSSL 26

    CERT_UNTRUSTED OPENSSL 27

    CERT_REJECTED OPENSSL 28

    FortiADC-VM (verify) # set cert-ignore-errors

    UNABLE_TO_GET_ISSUER_CERT OPENSSL 2

    UNABLE_TO_GET_CRL OPENSSL 3

    CERT_NOT_YET_VALID OPENSSL 9

    CERT_HAS_EXPIRED OPENSSL 10

    CRL_NOT_YET_VALID OPENSSL 11

    CRL_HAS_EXPIRED OPENSSL 12

    DEPTH_ZERO_SELF_SIGNED_CERT OPENSSL 18

    SELF_SIGNED_CERT_IN_CHAIN OPENSSL 19

    UNABLE_TO_GET_ISSUER_CERT_LOCALLY OPENSSL 20

    UNABLE_TO_VERIFY_LEAF_SIGNATURE OPENSSL 21

    CERT_CHAIN_TOO_LONG OPENSSL 22

    INVALID_CA OPENSSL 24

    INVALID_PURPOSE OPENSSL 26

    CERT_UNTRUSTED OPENSSL 27

    CERT_REJECTED OPENSSL 28

    FortiADC-VM (verify) #

    Previous
    Next

    config system certificate certificate_verify

    config system certificate certificate_verify

    Use this command to manage certificate validation rules.

    To be valid, a client certificate must meet the following criteria:

    • Must not be expired or not yet valid
    • Must not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate status protocol (OCSP)
    • Must be signed by a certificate authority (CA) whose certificate you have imported into the FortiADC appliance
    • Must contain a CA field whose value matches a CA’s certificate
    • Must contain an Issuer field whose value matches the Subject field in a CA’s certificate

    Certificate validation rules specify the CA certificates to use when validating client certificates, and they specify a CRL and/or OCSP server, if any, to use for certificate revocation checking.

    You select a certificate validation configuration object in the profile configuration for a virtual server. If the client presents an invalid certificate during the authentication phase of a SSL/TLS session initiation, the FortiADC system will not allow the connection.

    Before you begin:

    • You must have already created a CA group and OCSP or CRL configuration.
    • You must have read-write permission for system settings.

    Syntax

    config system certificate certificate_verify

    edit "verify"

    set verify-depth <integer>

    set customize-error-ignore <enable/disable>

    set ca-ignore-errors <ca_errors>

    set cert-ignore-errors <cert_errors>

    config group_member

    edit 1

    set ca-certificate <ca>

    set ocsp <ocsp rule>

    set crl <crl rule>

    next

    end

    next

    end

    verify-depth

    Specify the depth from the last intermediate CA to the root CA.

    customize-error-ignore

    Enable or disable "ignore errors".

    ca-ignore-errors

    Specify the errors on the CA to be ignored. Applicable only when "customize-error-ignore" is enabled.

    cert-ignore-errors

    Specify the errors on the certificate to be ignored. Applicable only when "customize-error-ignore" is enabled.

    Example

    FortiADC-VM # config system certificate certificate_verify

    FortiADC-VM (certificate_ve~i) # edit "verify"

    FortiADC-VM (verify) # set verify-depth

    <integer> Verify depth

    FortiADC-VM (verify) # set customize-error-ignore

    enable enable option

    disable disable option

    FortiADC-VM (verify) # set ca-ignore-errors

    UNABLE_TO_GET_ISSUER_CERT OPENSSL 2

    UNABLE_TO_GET_CRL OPENSSL 3

    CERT_NOT_YET_VALID OPENSSL 9

    CERT_HAS_EXPIRED OPENSSL 10

    CRL_NOT_YET_VALID OPENSSL 11

    CRL_HAS_EXPIRED OPENSSL 12

    DEPTH_ZERO_SELF_SIGNED_CERT OPENSSL 18

    SELF_SIGNED_CERT_IN_CHAIN OPENSSL 19

    UNABLE_TO_GET_ISSUER_CERT_LOCALLY OPENSSL 20

    UNABLE_TO_VERIFY_LEAF_SIGNATURE OPENSSL 21

    CERT_CHAIN_TOO_LONG OPENSSL 22

    INVALID_CA OPENSSL 24

    INVALID_PURPOSE OPENSSL 26

    CERT_UNTRUSTED OPENSSL 27

    CERT_REJECTED OPENSSL 28

    FortiADC-VM (verify) # set cert-ignore-errors

    UNABLE_TO_GET_ISSUER_CERT OPENSSL 2

    UNABLE_TO_GET_CRL OPENSSL 3

    CERT_NOT_YET_VALID OPENSSL 9

    CERT_HAS_EXPIRED OPENSSL 10

    CRL_NOT_YET_VALID OPENSSL 11

    CRL_HAS_EXPIRED OPENSSL 12

    DEPTH_ZERO_SELF_SIGNED_CERT OPENSSL 18

    SELF_SIGNED_CERT_IN_CHAIN OPENSSL 19

    UNABLE_TO_GET_ISSUER_CERT_LOCALLY OPENSSL 20

    UNABLE_TO_VERIFY_LEAF_SIGNATURE OPENSSL 21

    CERT_CHAIN_TOO_LONG OPENSSL 22

    INVALID_CA OPENSSL 24

    INVALID_PURPOSE OPENSSL 26

    CERT_UNTRUSTED OPENSSL 27

    CERT_REJECTED OPENSSL 28

    FortiADC-VM (verify) #

    Previous
    Next