Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 7.4.4 Handbook
    7.4.4
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Creating a local certificate group

    Creating a local certificate group

    Local certificate groups are used to facilitate the configuration of profiles that are associated with a virtual server.

    Before you begin:
    • You must have Read-Write permission for System settings.
    • You must have already added the certificates to the local certificate store and intermediate CAs to the intermediate certificate store, and created an intermediate CA group.
    • Optionally, create an OCSP Stapling configuration.
    To create a local certificate group:
    1. Go to System > Manage Certificates.

      2. The configuration page displays the Local Certificate Group tab.

    2. Click Create New to display the configuration editor.
    3. Enter the Group Name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. The maximum length is 35 characters. After you initially save the configuration, you cannot edit the name.
    4. Click Save.
    5. Under the Group Member section, click Create New to display the configuration editor.
    6. Complete the configuration as described in Local certificate group configuration.
    7. Click Save.

    Local certificate group configuration
    Settings Guidelines
    Default

    Check this check box only if you want to make this local certificate the default for the group.

    Note: Only one local certificate can be set as the default in a group. If one local certificate has already been set as the default, you must disable (uncheck) it in order to set another one as the default. By default, the first local certificate in the group becomes the default if no other local certificate is set as the default.
    Local Certificate Select a local certificate to add to the group.
    OCSP Stapling Select an OCSP Stapling configuration. The local certificate in the OCSP Stapling configuration must match the local certificate in the local certificate group member. See OCSP stapling.
    Intermediate CA group Select an intermediate CA group to add to the local group. (Optional)
    Extra Certificate

    FortiADC supports dual SSL certificates, one for an RSA-based SSL certificate and the other for an ECDSA-based SSL certificate. This option allows you to add an additional local certificate along with an additional OCSP stapling and intermediate CA group to a local certificate group configuration.

    Note: This extra local certificate, which is optional, must be of a different format from the local certificate you selected in the first place. In other words, if the local certificate is RSA-based, then this extra local certificate must be ECDSA-based, or vice versa.
    Extra Local Certificate

    Select an extra local certificate which is different from the local certificate.
    Extra OCSP Stapling

    Select an extra OCSP stapling configuration. The extra local certificate in the extra OCSP stapling configuration must match the extra local certificate in the extra local certificate group member. (Optional)

    Note: This option is available only when the Extra Local Certificate has already been set.
    Extra Intermediate CA Group

    Select an extra intermediate CA group to add to the extra local certificate group. (Optional)

    Note: This option is available only when the Extra Local Certificate is set.

    Note: In general, ECDSA certificates are a good choice for both client and server because they require less time and fewer resources to process. However, for some old web browsers that do not support ECSDA certificates, RSA is the only choice. So, having both an RSA certificate and an ECSDA certificate in the same local certificate group configuration allows FortiADC to take full advantage of the benefits that they offer.

    You can also assign two certificates to a local certificate group from the Console, as illustrated in the following example commands:

    config system certificate local_cert_group

    edit "dual"

    config group_member

    edit 1

    set local-cert intermediate02-leafCA-leaf-Serve-RSA

    set OCSP-stapling intermediate02-leafCA-leaf-Serve-RSA

    set intermediate-ca-group RSA-intermediate02-leaf

    set local-cert-extra intermediate02-leafCA-leaf-Serve-ECC

    set OCSP-stapling-extra intermediate02-leafCA-leaf-Serve-ECC

    set intermediate-ca-group-extra RSA-intermediate02-leaf

    next

    end

    next

    end

    Previous
    Next

    Creating a local certificate group

    Creating a local certificate group

    Local certificate groups are used to facilitate the configuration of profiles that are associated with a virtual server.

    Before you begin:
    • You must have Read-Write permission for System settings.
    • You must have already added the certificates to the local certificate store and intermediate CAs to the intermediate certificate store, and created an intermediate CA group.
    • Optionally, create an OCSP Stapling configuration.
    To create a local certificate group:
    1. Go to System > Manage Certificates.

      2. The configuration page displays the Local Certificate Group tab.

    2. Click Create New to display the configuration editor.
    3. Enter the Group Name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. The maximum length is 35 characters. After you initially save the configuration, you cannot edit the name.
    4. Click Save.
    5. Under the Group Member section, click Create New to display the configuration editor.
    6. Complete the configuration as described in Local certificate group configuration.
    7. Click Save.

    Local certificate group configuration
    Settings Guidelines
    Default

    Check this check box only if you want to make this local certificate the default for the group.

    Note: Only one local certificate can be set as the default in a group. If one local certificate has already been set as the default, you must disable (uncheck) it in order to set another one as the default. By default, the first local certificate in the group becomes the default if no other local certificate is set as the default.
    Local Certificate Select a local certificate to add to the group.
    OCSP Stapling Select an OCSP Stapling configuration. The local certificate in the OCSP Stapling configuration must match the local certificate in the local certificate group member. See OCSP stapling.
    Intermediate CA group Select an intermediate CA group to add to the local group. (Optional)
    Extra Certificate

    FortiADC supports dual SSL certificates, one for an RSA-based SSL certificate and the other for an ECDSA-based SSL certificate. This option allows you to add an additional local certificate along with an additional OCSP stapling and intermediate CA group to a local certificate group configuration.

    Note: This extra local certificate, which is optional, must be of a different format from the local certificate you selected in the first place. In other words, if the local certificate is RSA-based, then this extra local certificate must be ECDSA-based, or vice versa.
    Extra Local Certificate

    Select an extra local certificate which is different from the local certificate.
    Extra OCSP Stapling

    Select an extra OCSP stapling configuration. The extra local certificate in the extra OCSP stapling configuration must match the extra local certificate in the extra local certificate group member. (Optional)

    Note: This option is available only when the Extra Local Certificate has already been set.
    Extra Intermediate CA Group

    Select an extra intermediate CA group to add to the extra local certificate group. (Optional)

    Note: This option is available only when the Extra Local Certificate is set.

    Note: In general, ECDSA certificates are a good choice for both client and server because they require less time and fewer resources to process. However, for some old web browsers that do not support ECSDA certificates, RSA is the only choice. So, having both an RSA certificate and an ECSDA certificate in the same local certificate group configuration allows FortiADC to take full advantage of the benefits that they offer.

    You can also assign two certificates to a local certificate group from the Console, as illustrated in the following example commands:

    config system certificate local_cert_group

    edit "dual"

    config group_member

    edit 1

    set local-cert intermediate02-leafCA-leaf-Serve-RSA

    set OCSP-stapling intermediate02-leafCA-leaf-Serve-RSA

    set intermediate-ca-group RSA-intermediate02-leaf

    set local-cert-extra intermediate02-leafCA-leaf-Serve-ECC

    set OCSP-stapling-extra intermediate02-leafCA-leaf-Serve-ECC

    set intermediate-ca-group-extra RSA-intermediate02-leaf

    next

    end

    next

    end

    Previous
    Next