Fortinet Document Library

Version:

Version:

Version:


Table of Contents

New Features

Download PDF
Copy Link

Online update and verification for third-party certificates (OCSP stapling)

You can enable Anycast to optimize the routing performance to FortiGuard servers. Relying on Fortinet DNS servers, FortiManager obtains a single IP address for the domain name of each FortiGuard service. BGP routing optimization is transparent to FortiManager. The domain name of each FortiGuard service is the common name in that service's certificate. The certificate is signed by a third-party intermediate CA. The FortiGuard server uses the Online Certificate Status Protocol (OCSP) stapling technique, enabling FortiManager to always validate the FortiGuard server certificate efficiently.

This feature focuses on the Anycast option and TLS handshake using OCSP stapling when connecting to the FortiGuard server.

To enable online update and verification for third party certificates:
  1. Enable Anycast support:

    config fmupdate fds-setting

    set fortiguard-anycast enable

    set fortiguard-anycast-source {aws | fortinet}

    end

When Anycast is enabled, FortiManager only completes the TLS handshake with a FortiGuard server that provides a good OCSP status for its certificate. Any other status will result in a failed SSL connection. Also, FortiGuard enforces connection only over port 443.

FortiManager connecting to FortiGuard:
  1. FortiManager embeds CA bundle that includes third party intermediate CA and the root CA.
  2. FortiManager finds FortiGuard IP address from the DNS.
  3. FortiManager initiates TLS handshake with the FortiGuard IP address.
  4. FortiGuard servers provide certificates with its OCSP status: good, revoked, or unknown.
  5. FortiManager verifies CA against the root CA within the CA bundle.
  6. FortiManager then verifies the intermediate CA's revoke status against the root CA's CRL.
  7. Finally, FortiManager verifies the FortiGuard certificate OCSP status.

OCSP stapling is reflected on the signature interval (currently, 24 hours), and good means that the certificate is not revoked at that timestamp. The FortiGuard servers query the CA's OCSP responder every four hours and updates its OCSP status. If the FortiGuard server is unable to reach the OCSP responder, it keeps the last known OCSP status for seven days. This cached OCSP status is immediately sent out when a client connection request is made, which optimizes the response time.

Online update and verification for third-party certificates (OCSP stapling)

You can enable Anycast to optimize the routing performance to FortiGuard servers. Relying on Fortinet DNS servers, FortiManager obtains a single IP address for the domain name of each FortiGuard service. BGP routing optimization is transparent to FortiManager. The domain name of each FortiGuard service is the common name in that service's certificate. The certificate is signed by a third-party intermediate CA. The FortiGuard server uses the Online Certificate Status Protocol (OCSP) stapling technique, enabling FortiManager to always validate the FortiGuard server certificate efficiently.

This feature focuses on the Anycast option and TLS handshake using OCSP stapling when connecting to the FortiGuard server.

To enable online update and verification for third party certificates:
  1. Enable Anycast support:

    config fmupdate fds-setting

    set fortiguard-anycast enable

    set fortiguard-anycast-source {aws | fortinet}

    end

When Anycast is enabled, FortiManager only completes the TLS handshake with a FortiGuard server that provides a good OCSP status for its certificate. Any other status will result in a failed SSL connection. Also, FortiGuard enforces connection only over port 443.

FortiManager connecting to FortiGuard:
  1. FortiManager embeds CA bundle that includes third party intermediate CA and the root CA.
  2. FortiManager finds FortiGuard IP address from the DNS.
  3. FortiManager initiates TLS handshake with the FortiGuard IP address.
  4. FortiGuard servers provide certificates with its OCSP status: good, revoked, or unknown.
  5. FortiManager verifies CA against the root CA within the CA bundle.
  6. FortiManager then verifies the intermediate CA's revoke status against the root CA's CRL.
  7. Finally, FortiManager verifies the FortiGuard certificate OCSP status.

OCSP stapling is reflected on the signature interval (currently, 24 hours), and good means that the certificate is not revoked at that timestamp. The FortiGuard servers query the CA's OCSP responder every four hours and updates its OCSP status. If the FortiGuard server is unable to reach the OCSP responder, it keeps the last known OCSP status for seven days. This cached OCSP status is immediately sent out when a client connection request is made, which optimizes the response time.