system certificate sni
In some cases, the members of a server pool or a single pool member host multiple secure websites that use different certificates. Use this command to create a Server Name Indication (SNI) configuration that identifies the certificate to use by domain.
You can select a SNI configuration in a server policy only when the operating mode is Reverse Proxy mode and an HTTPS configuration is applied to the policy.
Not all web browsers support SNI. Go to the following location for a list of web browsers that support SNI:
http://en.wikipedia.org/wiki/Server_Name_Indication#Browsers_with_support_for_TLS_server_name_indication.5B10.5D
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the admingrp
area. For details, see Permissions.
Syntax
config system certificate sni
edit "<sni_name>"
config members
edit <entry_index>
set domain-type {plain | regular}
set multi-local-cert {enable | disable}
set multi-local-cert-group <multi-local-cert-group_name>
set local-cert "<local-cert_name>"
set inter-group "<intermediate-cagroup_name>"
set verify "<certificate_verificator_name>"
end
next
end
Variable | Description | Default |
Enter the name of an Server Name Indication (SNI) configuration. | No default. | |
Enter the index number of an SNI configuration entry. The valid range is 1–9,999,999,999,999,999,999. | No default. | |
Specify plain to match a domain to certificates using a literal
domain specified in domain . Specify regular to match
multiple domains to certificates using a regular expression specified in
domain . |
plain
|
|
Enter the domain of the secure website (HTTPS) that uses the certificate specified by local-cert "<local-cert_name>". Enter a literal domain if domain-type {plain | regular} is set to |
No default. | |
Enable this option to allow FortiWeb to use multiple local certificates. |
disable
|
|
Select the multi-certificate you have created. | No default. | |
Enter the name of the server certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections for the website specified by domain "<server_fqdn>". | No default. | |
Enter the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb presents to validate the CA signature of the certificate specified by local-cert "<local-cert_name>". If clients receive certificate warnings that an intermediary CA has signed the server certificate configured in local-cert "<local-cert_name>", rather than by a root CA or other CA currently trusted by the client directly, configure this option. Alternatively, include the entire signing chain in the server certificate itself before uploading it to the FortiWeb appliance, thereby completing the chain of trust with a CA already known to the client. See the FortiWeb Administration Guide: |
No default. | |
Enter the name of a certificate verifier, if any, that FortiWeb uses when an HTTP client presents its personal certificate. If you do not select one, the client is not required to present a personal certificate. Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the website (PKI authentication). You can require that clients present a certificate alternatively or in addition to HTTP authentication. For details, see waf http-authen http-authen-rule. To display the list of existing verifiers, enter:
Note: The client must support TLS 1.0. |
No default. |