This section discusses the ways to validate client certificates and real server certificates from within the FortiADC system. It covers the following topics:
- Importing CAs
- Creating a CA group
- Importing remote certificates
- Importing CRLs
- Adding OCSPs
- Validating certificates
Configure a certificate verification object
To be valid, a client certificate must meet the following criteria:
- Must not be expired or not yet valid
- Must not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate status protocol (OCSP)
- Must be signed by a certificate authority (CA) whose certificate you have imported into the FortiADC appliance
Certificate verification rules specify the CA certificates to use when validating client certificates, and they specify a CRL and/or OCSP server, if any, to use for certificate revocation checking.
You select a certificate verification configuration object in the profile configuration for a virtual server or in a real-server-SSL profile. If the client presents an invalid certificate during the authentication phase of a SSL/TLS session initiation, the FortiADC system will not allow the connection.
Before you begin:
- You must have Read-Write permission for System settings.
- You must have already created CA, OCSP or CRL configuration.
After you have configured a certificate verification object, you can include it in a virtual server profile or a Real Server SSL Profile, and it will be used to validate certificates presented to FortiADC.
|Note: For the same certificate object you can configure multiple CRL files.|
To configure a certificate verification object:
- Go to System > Certificate > Verify.
- Click Create New to display the configuration editor.
- Complete the configuration as described in Certificate verify configuration.
- Click Save when done. The newly certificate verification object appears on the Verify page.
- Click the Edit icon in the far-right column (or double-click the entry) to open the configuration editor.
- In the Group Member panel, select the CA, OCSP, or CRL of interest.
- Click Save when done.
Enter a unique name for the certificate verification object that you are creating. Valid characters are
Note: CLI only.
The default value is 1, but you may select any value from 0 to 255.
Note: This option is available from the CLI only.
Enable or disable
Note: CLI only. When
Note: CLI only. When
|CA||Select a CA (Required).|
|OCSP||Select an OCSP (Optional).|
|CRL||Select a CRL (Optional).|