Fortinet black logo

CLI Reference

system certificate verify

system certificate verify

Use this command to configure how the FortiWeb appliance will verify certificates presented by HTTP clients.

To apply a certificate verification rule, select it in a policy. For details, see server-policy policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config system certificate verify

edit "<certificate_verificator_name>"

set ca "<ca-group_name>"

set crl "<crl-group_name>"

set publish-dn {enable | disable}

set strictly-need-cert {enable | disable}

next

end

Variable Description Default

"<certificate_verificator_name>"

Enter the name of a certificate verifier. The maximum length is 63 characters. No default.

ca "<ca-group_name>"

Enter the name of an existing CA Group that you want to use to authenticate client certificates. No default.

crl "<crl-group_name>"

Enter the name of an existing CRL Group, if any, to use to verify the revocation status of client certificates. No default.

publish-dn {enable | disable}

Enable to list only certificates related to the specified CA Group. This is beneficial when a client installs many certificates in its browser or when apps don't list client certificates. If you enable this option, also enable the option in a CA Group. For details, see system certificate ca-group.

disable

strictly-need-cert {enable | disable} Enable to strictly require verifying the client certificate. enable

Related topics

system certificate verify

Use this command to configure how the FortiWeb appliance will verify certificates presented by HTTP clients.

To apply a certificate verification rule, select it in a policy. For details, see server-policy policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config system certificate verify

edit "<certificate_verificator_name>"

set ca "<ca-group_name>"

set crl "<crl-group_name>"

set publish-dn {enable | disable}

set strictly-need-cert {enable | disable}

next

end

Variable Description Default

"<certificate_verificator_name>"

Enter the name of a certificate verifier. The maximum length is 63 characters. No default.

ca "<ca-group_name>"

Enter the name of an existing CA Group that you want to use to authenticate client certificates. No default.

crl "<crl-group_name>"

Enter the name of an existing CRL Group, if any, to use to verify the revocation status of client certificates. No default.

publish-dn {enable | disable}

Enable to list only certificates related to the specified CA Group. This is beneficial when a client installs many certificates in its browser or when apps don't list client certificates. If you enable this option, also enable the option in a CA Group. For details, see system certificate ca-group.

disable

strictly-need-cert {enable | disable} Enable to strictly require verifying the client certificate. enable

Related topics