Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiADC 8.0.2 CLI Reference
    8.0.2
    8.0.2
    8.0.1
    8.0.0
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config system certificate certificate_verify

    config system certificate certificate_verify

    Use this command to manage certificate validation rules.

    FortiADC uses certificate verification objects to enforce trust during SSL/TLS handshakes. These objects define the rules for validating certificates presented by external clients (in Client SSL profiles) or by backend servers (in Real Server SSL profiles). When enabled, FortiADC evaluates the presented certificate against the configured trust anchors and revocation sources before allowing the session to proceed.

    A certificate verify object specifies:

    • Trusted Certificate Authorities (CAs): Certificates must chain to an imported and trusted CA.

    • Revocation sources: One or more CRL (Certificate Revocation List) files and/or an OCSP (Online Certificate Status Protocol) responder can be configured to check whether a certificate has been revoked. Multiple CRL files can be associated with the same verification object.

    • Advanced options: Such as advertising trusted CAs to clients when requesting certificates, or controlling the frequency of client authentication checks (once per session or on every reuse).

    For a certificate to be considered valid, it must:

    • Not be expired or not yet valid.

    • Not be revoked according to the configured CRL or OCSP.

    • Be signed by a CA certificate imported into FortiADC.

    If any of these conditions fail, FortiADC denies the connection during the TLS handshake.

    Before configuring certificate verification, ensure you have:

    • Read-Write permission for System settings.

    • Imported the required CA certificates, CRLs, or OCSP configurations into the system.

    Once created, certificate verify objects can be applied in Client SSL profiles or Real Server SSL profiles, depending on the direction of validation required.

    Certificate verification objects with Client Authentication enabled can only be applied to Client SSL profiles. If applied to a Real Server SSL profile, the setting is ignored, since FortiADC does not validate client certificates when acting as a TLS client.

    Syntax

    config system certificate certificate_verify

    edit "verify"

    set verify-depth <integer>

    set client-authentication {enable/disable}

    set client-auth-frequency {once|always}

    set customize-error-ignore {enable/disable}

    set ca-ignore-errors <ca_errors>

    set cert-ignore-errors <cert_errors>

    config group_member

    edit 1

    set ca-certificate <ca>

    set advertise-certificate-authority {enable/disable}

    set ocsp <ocsp rule>

    set crl <crl rule>

    next

    end

    next

    end

    verify-depth

    Specify the depth from the last intermediate CA to the root CA. Default: 1, Range: 0-255.

    client-authentication

    Enable or disable mutual TLS client authentication.

    When disabled (default), FortiADC accepts TLS sessions without requesting client certificates.

    When enabled, FortiADC requires and validates client certificates as part of the handshake, allowing advanced verification options to apply.

    client-auth-frequency

    Available when client-authentication is enabled. Determines how often FortiADC validates the client certificate for a session.

    • once (default) – The certificate is validated during the initial handshake only.

    • always – The client certificate is validated for the initial handshake and every time the session is resumed, providing stronger security in long-lived or reused sessions.

    customize-error-ignore

    Enable or disable customize-error-ignore. The option is disabled by default. When enabled, you are required to select the ca-ignore-errors and cert-ignore-errors, as described below.

    ca-ignore-errors

    When customize-error-ignore is enabled, the following options become available for you to choose from:

    • UNABLE_TO_GET_ISSUER_CERT
    • UNABLE_TO_GET_CRL
    • CERT_NOT_YET_VALID
    • CERT_HAS_EXPIRED
    • CRL_NOT_YET_VALID
    • CRL_HAS_EXPIRED
    • DEPTH_ZERO_SELF_SIGNED_CERT
    • SELF_SIGNED_CERT_IN_CHAIN
    • UNABLE_TO_GET_ISSUER_CERT_LOCALLY
    • UNABLE_TO_VERIFY_LEAF_SIGNATURE
    • CERT_CHAIN_TOO_LONG
    • INVALID_CA
    • INVALID_PURPOSE
    • CERT_UNTRUSTED
    • CERT_REJECTED

    Note: If customize-error-ignore is disabled (by default), the CLI shows the following:

    ca-ignore-errors: UNABLE_TO_GET_ISSUER_CERT UNABLE_TO_GET_CRL CERT_UNTRUSTED

    cert-ignore-errors

    When customize-error-ignore is enabled, the following options become available for you to choose from:

    • UNABLE_TO_GET_ISSUER_CERT
    • UNABLE_TO_GET_CRL
    • CERT_NOT_YET_VALID
    • CERT_HAS_EXPIRED
    • CRL_NOT_YET_VALID
    • CRL_HAS_EXPIRED
    • DEPTH_ZERO_SELF_SIGNED_CERT
    • SELF_SIGNED_CERT_IN_CHAIN
    • UNABLE_TO_GET_ISSUER_CERT_LOCALLY
    • UNABLE_TO_VERIFY_LEAF_SIGNATURE
    • CERT_CHAIN_TOO_LONG
    • INVALID_CA
    • INVALID_PURPOSE
    • CERT_UNTRUSTED
    • CERT_REJECTED

    Note: If customize-error-ignore is disabled (by default), the CLI shows the following:

    cert-ignore-errors: UNABLE_TO_GET_CRL

    config group_member

    ca-certificate

    		 Required. Select a CA (Certificate Authority) object that represents the trusted issuer of client certificates.

    advertise-certificate-authority

    Enable to include the configured CA list in the TLS handshake when FortiADC requests a client certificate. This ensures that clients present certificates issued by approved authorities, reducing the risk of untrusted or unexpected CAs being accepted. This is enabled by default.

    ocsp

    		 Optional. Select a CRL (Certificate Revocation List) object to reject certificates explicitly revoked by the issuing CA.

    crl

    		 Optional. Select an OCSP (Online Certificate Status Protocol) responder to perform real-time certificate revocation checks.

    Example

    FortiADC-VM # config system certificate certificate_verify

    FortiADC-VM (certificate_ve~i) # edit "verify"

    FortiADC-VM (verify) # set verify-depth

    <integer> Verify depth

    FortiADC-VM (verify) # set customize-error-ignore

    enable enable option

    disable disable option

    FortiADC-VM (verify) # set ca-ignore-errors

    UNABLE_TO_GET_ISSUER_CERT OPENSSL 2

    UNABLE_TO_GET_CRL OPENSSL 3

    CERT_NOT_YET_VALID OPENSSL 9

    CERT_HAS_EXPIRED OPENSSL 10

    CRL_NOT_YET_VALID OPENSSL 11

    CRL_HAS_EXPIRED OPENSSL 12

    DEPTH_ZERO_SELF_SIGNED_CERT OPENSSL 18

    SELF_SIGNED_CERT_IN_CHAIN OPENSSL 19

    UNABLE_TO_GET_ISSUER_CERT_LOCALLY OPENSSL 20

    UNABLE_TO_VERIFY_LEAF_SIGNATURE OPENSSL 21

    CERT_CHAIN_TOO_LONG OPENSSL 22

    INVALID_CA OPENSSL 24

    INVALID_PURPOSE OPENSSL 26

    CERT_UNTRUSTED OPENSSL 27

    CERT_REJECTED OPENSSL 28

    FortiADC-VM (verify) # set cert-ignore-errors

    UNABLE_TO_GET_ISSUER_CERT OPENSSL 2

    UNABLE_TO_GET_CRL OPENSSL 3

    CERT_NOT_YET_VALID OPENSSL 9

    CERT_HAS_EXPIRED OPENSSL 10

    CRL_NOT_YET_VALID OPENSSL 11

    CRL_HAS_EXPIRED OPENSSL 12

    DEPTH_ZERO_SELF_SIGNED_CERT OPENSSL 18

    SELF_SIGNED_CERT_IN_CHAIN OPENSSL 19

    UNABLE_TO_GET_ISSUER_CERT_LOCALLY OPENSSL 20

    UNABLE_TO_VERIFY_LEAF_SIGNATURE OPENSSL 21

    CERT_CHAIN_TOO_LONG OPENSSL 22

    INVALID_CA OPENSSL 24

    INVALID_PURPOSE OPENSSL 26

    CERT_UNTRUSTED OPENSSL 27

    CERT_REJECTED OPENSSL 28

    FortiADC-VM (verify) #

    Previous
    Next

    config system certificate certificate_verify

    config system certificate certificate_verify

    Use this command to manage certificate validation rules.

    FortiADC uses certificate verification objects to enforce trust during SSL/TLS handshakes. These objects define the rules for validating certificates presented by external clients (in Client SSL profiles) or by backend servers (in Real Server SSL profiles). When enabled, FortiADC evaluates the presented certificate against the configured trust anchors and revocation sources before allowing the session to proceed.

    A certificate verify object specifies:

    • Trusted Certificate Authorities (CAs): Certificates must chain to an imported and trusted CA.

    • Revocation sources: One or more CRL (Certificate Revocation List) files and/or an OCSP (Online Certificate Status Protocol) responder can be configured to check whether a certificate has been revoked. Multiple CRL files can be associated with the same verification object.

    • Advanced options: Such as advertising trusted CAs to clients when requesting certificates, or controlling the frequency of client authentication checks (once per session or on every reuse).

    For a certificate to be considered valid, it must:

    • Not be expired or not yet valid.

    • Not be revoked according to the configured CRL or OCSP.

    • Be signed by a CA certificate imported into FortiADC.

    If any of these conditions fail, FortiADC denies the connection during the TLS handshake.

    Before configuring certificate verification, ensure you have:

    • Read-Write permission for System settings.

    • Imported the required CA certificates, CRLs, or OCSP configurations into the system.

    Once created, certificate verify objects can be applied in Client SSL profiles or Real Server SSL profiles, depending on the direction of validation required.

    Certificate verification objects with Client Authentication enabled can only be applied to Client SSL profiles. If applied to a Real Server SSL profile, the setting is ignored, since FortiADC does not validate client certificates when acting as a TLS client.

    Syntax

    config system certificate certificate_verify

    edit "verify"

    set verify-depth <integer>

    set client-authentication {enable/disable}

    set client-auth-frequency {once|always}

    set customize-error-ignore {enable/disable}

    set ca-ignore-errors <ca_errors>

    set cert-ignore-errors <cert_errors>

    config group_member

    edit 1

    set ca-certificate <ca>

    set advertise-certificate-authority {enable/disable}

    set ocsp <ocsp rule>

    set crl <crl rule>

    next

    end

    next

    end

    verify-depth

    Specify the depth from the last intermediate CA to the root CA. Default: 1, Range: 0-255.

    client-authentication

    Enable or disable mutual TLS client authentication.

    When disabled (default), FortiADC accepts TLS sessions without requesting client certificates.

    When enabled, FortiADC requires and validates client certificates as part of the handshake, allowing advanced verification options to apply.

    client-auth-frequency

    Available when client-authentication is enabled. Determines how often FortiADC validates the client certificate for a session.

    • once (default) – The certificate is validated during the initial handshake only.

    • always – The client certificate is validated for the initial handshake and every time the session is resumed, providing stronger security in long-lived or reused sessions.

    customize-error-ignore

    Enable or disable customize-error-ignore. The option is disabled by default. When enabled, you are required to select the ca-ignore-errors and cert-ignore-errors, as described below.

    ca-ignore-errors

    When customize-error-ignore is enabled, the following options become available for you to choose from:

    • UNABLE_TO_GET_ISSUER_CERT
    • UNABLE_TO_GET_CRL
    • CERT_NOT_YET_VALID
    • CERT_HAS_EXPIRED
    • CRL_NOT_YET_VALID
    • CRL_HAS_EXPIRED
    • DEPTH_ZERO_SELF_SIGNED_CERT
    • SELF_SIGNED_CERT_IN_CHAIN
    • UNABLE_TO_GET_ISSUER_CERT_LOCALLY
    • UNABLE_TO_VERIFY_LEAF_SIGNATURE
    • CERT_CHAIN_TOO_LONG
    • INVALID_CA
    • INVALID_PURPOSE
    • CERT_UNTRUSTED
    • CERT_REJECTED

    Note: If customize-error-ignore is disabled (by default), the CLI shows the following:

    ca-ignore-errors: UNABLE_TO_GET_ISSUER_CERT UNABLE_TO_GET_CRL CERT_UNTRUSTED

    cert-ignore-errors

    When customize-error-ignore is enabled, the following options become available for you to choose from:

    • UNABLE_TO_GET_ISSUER_CERT
    • UNABLE_TO_GET_CRL
    • CERT_NOT_YET_VALID
    • CERT_HAS_EXPIRED
    • CRL_NOT_YET_VALID
    • CRL_HAS_EXPIRED
    • DEPTH_ZERO_SELF_SIGNED_CERT
    • SELF_SIGNED_CERT_IN_CHAIN
    • UNABLE_TO_GET_ISSUER_CERT_LOCALLY
    • UNABLE_TO_VERIFY_LEAF_SIGNATURE
    • CERT_CHAIN_TOO_LONG
    • INVALID_CA
    • INVALID_PURPOSE
    • CERT_UNTRUSTED
    • CERT_REJECTED

    Note: If customize-error-ignore is disabled (by default), the CLI shows the following:

    cert-ignore-errors: UNABLE_TO_GET_CRL

    config group_member

    ca-certificate

    		 Required. Select a CA (Certificate Authority) object that represents the trusted issuer of client certificates.

    advertise-certificate-authority

    Enable to include the configured CA list in the TLS handshake when FortiADC requests a client certificate. This ensures that clients present certificates issued by approved authorities, reducing the risk of untrusted or unexpected CAs being accepted. This is enabled by default.

    ocsp

    		 Optional. Select a CRL (Certificate Revocation List) object to reject certificates explicitly revoked by the issuing CA.

    crl

    		 Optional. Select an OCSP (Online Certificate Status Protocol) responder to perform real-time certificate revocation checks.

    Example

    FortiADC-VM # config system certificate certificate_verify

    FortiADC-VM (certificate_ve~i) # edit "verify"

    FortiADC-VM (verify) # set verify-depth

    <integer> Verify depth

    FortiADC-VM (verify) # set customize-error-ignore

    enable enable option

    disable disable option

    FortiADC-VM (verify) # set ca-ignore-errors

    UNABLE_TO_GET_ISSUER_CERT OPENSSL 2

    UNABLE_TO_GET_CRL OPENSSL 3

    CERT_NOT_YET_VALID OPENSSL 9

    CERT_HAS_EXPIRED OPENSSL 10

    CRL_NOT_YET_VALID OPENSSL 11

    CRL_HAS_EXPIRED OPENSSL 12

    DEPTH_ZERO_SELF_SIGNED_CERT OPENSSL 18

    SELF_SIGNED_CERT_IN_CHAIN OPENSSL 19

    UNABLE_TO_GET_ISSUER_CERT_LOCALLY OPENSSL 20

    UNABLE_TO_VERIFY_LEAF_SIGNATURE OPENSSL 21

    CERT_CHAIN_TOO_LONG OPENSSL 22

    INVALID_CA OPENSSL 24

    INVALID_PURPOSE OPENSSL 26

    CERT_UNTRUSTED OPENSSL 27

    CERT_REJECTED OPENSSL 28

    FortiADC-VM (verify) # set cert-ignore-errors

    UNABLE_TO_GET_ISSUER_CERT OPENSSL 2

    UNABLE_TO_GET_CRL OPENSSL 3

    CERT_NOT_YET_VALID OPENSSL 9

    CERT_HAS_EXPIRED OPENSSL 10

    CRL_NOT_YET_VALID OPENSSL 11

    CRL_HAS_EXPIRED OPENSSL 12

    DEPTH_ZERO_SELF_SIGNED_CERT OPENSSL 18

    SELF_SIGNED_CERT_IN_CHAIN OPENSSL 19

    UNABLE_TO_GET_ISSUER_CERT_LOCALLY OPENSSL 20

    UNABLE_TO_VERIFY_LEAF_SIGNATURE OPENSSL 21

    CERT_CHAIN_TOO_LONG OPENSSL 22

    INVALID_CA OPENSSL 24

    INVALID_PURPOSE OPENSSL 26

    CERT_UNTRUSTED OPENSSL 27

    CERT_REJECTED OPENSSL 28

    FortiADC-VM (verify) #

    Previous
    Next