Multiple certificates can be defined in an SSL inspection profile in replace mode (Protecting SSL Server). This allows multiple sites to be deployed on the same protected server IP address, and inspection based on matching the SNI in the certificate.
When the FortiGate receives the client and server hello messages, it will compare the server name identification (SNI) and the common name (CN) with the certificate list in the SSL profile, and use the matched certificate as a replacement. If there is no matched server certificate in the list, then the first server certificate in the list is used as a replacement.
To configure an SSL profile in replace mode with multiple certificates:
config firewall ssl-ssh-profile edit "multi-cert" set server-cert-mode replace set server-cert "bbb" "aaa" next end
To configure a policy that uses the SSL profile:
config firewall policy edit 1 set name "multi-cert" set srcintf "port6" set dstintf "port11" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "multi-cert" set av-profile "default" set webfilter-profile "default" set logtraffic all set nat enable next end
If the SNI matches the CN in the certificate list in the SSL profile, then the FortiGate uses the matched server certificate. In this example, when the client accesses www.aaa.com, the FortiGate will use the aaa certificate as a replacement.
If the SNI does not match the CN in the certificate list in the SSL profile, then the FortiGate uses the first server certificate in the list. In this example, when the client accesses www.ccc.com, because there is no certificate for www.ccc.com, the FortiGate will use the bbb certificate as a replacement.