Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

system certificate sni

In some cases, the members of a server pool or a single pool member host multiple secure websites that use different certificates. Use this command to create a Server Name Indication (SNI) configuration that identifies the certificate to use by domain.

You can select a SNI configuration in a server policy only when the operating mode is Reverse Proxy mode and an HTTPS configuration is applied to the policy.

Not all web browsers support SNI. Go to the following location for a list of web browsers that support SNI:

http://en.wikipedia.org/wiki/Server_Name_Indication#Browsers_with_support_for_TLS_server_name_indication.5B10.5D

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config system certificate sni

edit "<sni_name>"

config members

edit <entry_index>

set domain-type {plain | regular}

set domain "<server_fqdn>"

set multi-local-cert {enable | disable}

set multi-local-cert-group <multi-local-cert-group_name>

set certificate-type {enable | disable}

set lets-certificate <name>

set local-cert "<local-cert_name>"

set inter-group "<intermediate-cagroup_name>"

set verify "<certificate_verificator_name>"

end

next

end

Variable Description Default

"<sni_name>"

Enter the name of an Server Name Indication (SNI) configuration. No default.

<entry_index>

Enter the index number of an SNI configuration entry. The valid range is 1–9,999,999,999,999,999,999. No default.

domain-type {plain | regular}

Specify plain to match a domain to certificates using a literal domain specified in domain. Specify regular to match multiple domains to certificates using a regular expression specified in domain. plain

domain "<server_fqdn>"

Enter the domain of the secure website (HTTPS) that uses the certificate specified by local-cert "<local-cert_name>".

Enter a literal domain if domain-type {plain | regular} is set to plain; or enter a regular expression if domain-type is set to regular.

No default.

multi-local-cert {enable | disable}

Enable this option to allow FortiWeb to use multiple local certificates. disable

multi-local-cert-group <multi-local-cert-group_name>

Select the multi-certificate you have created. No default.

certificate-type {enable | disable}

Enable allow FortiWeb to automatically retrieve CA certificates from Let's Encrypt.

disable

lets-certificate <name>

Select the Letsencrypt certificate you have created. See system certificate letsencrypt.

No default.

local-cert "<local-cert_name>"

Enter the name of the server certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections for the website specified by domain "<server_fqdn>". No default.

inter-group "<intermediate-cagroup_name>"

Enter the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb presents to validate the CA signature of the certificate specified by local-cert "<local-cert_name>".

If clients receive certificate warnings that an intermediary CA has signed the server certificate configured in local-cert "<local-cert_name>", rather than by a root CA or other CA currently trusted by the client directly, configure this option.

Alternatively, include the entire signing chain in the server certificate itself before uploading it to the FortiWeb appliance, thereby completing the chain of trust with a CA already known to the client. See the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

No default.

verify "<certificate_verificator_name>"

Enter the name of a certificate verifier, if any, that FortiWeb uses when an HTTP client presents its personal certificate. If you do not select one, the client is not required to present a personal certificate.

Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the website (PKI authentication).

You can require that clients present a certificate alternatively or in addition to HTTP authentication. For details, see waf http-authen http-authen-rule.

To display the list of existing verifiers, enter:

edit ?

Note: The client must support TLS 1.0.

No default.

Related topics

system certificate sni

In some cases, the members of a server pool or a single pool member host multiple secure websites that use different certificates. Use this command to create a Server Name Indication (SNI) configuration that identifies the certificate to use by domain.

You can select a SNI configuration in a server policy only when the operating mode is Reverse Proxy mode and an HTTPS configuration is applied to the policy.

Not all web browsers support SNI. Go to the following location for a list of web browsers that support SNI:

http://en.wikipedia.org/wiki/Server_Name_Indication#Browsers_with_support_for_TLS_server_name_indication.5B10.5D

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config system certificate sni

edit "<sni_name>"

config members

edit <entry_index>

set domain-type {plain | regular}

set domain "<server_fqdn>"

set multi-local-cert {enable | disable}

set multi-local-cert-group <multi-local-cert-group_name>

set certificate-type {enable | disable}

set lets-certificate <name>

set local-cert "<local-cert_name>"

set inter-group "<intermediate-cagroup_name>"

set verify "<certificate_verificator_name>"

end

next

end

Variable Description Default

"<sni_name>"

Enter the name of an Server Name Indication (SNI) configuration. No default.

<entry_index>

Enter the index number of an SNI configuration entry. The valid range is 1–9,999,999,999,999,999,999. No default.

domain-type {plain | regular}

Specify plain to match a domain to certificates using a literal domain specified in domain. Specify regular to match multiple domains to certificates using a regular expression specified in domain. plain

domain "<server_fqdn>"

Enter the domain of the secure website (HTTPS) that uses the certificate specified by local-cert "<local-cert_name>".

Enter a literal domain if domain-type {plain | regular} is set to plain; or enter a regular expression if domain-type is set to regular.

No default.

multi-local-cert {enable | disable}

Enable this option to allow FortiWeb to use multiple local certificates. disable

multi-local-cert-group <multi-local-cert-group_name>

Select the multi-certificate you have created. No default.

certificate-type {enable | disable}

Enable allow FortiWeb to automatically retrieve CA certificates from Let's Encrypt.

disable

lets-certificate <name>

Select the Letsencrypt certificate you have created. See system certificate letsencrypt.

No default.

local-cert "<local-cert_name>"

Enter the name of the server certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections for the website specified by domain "<server_fqdn>". No default.

inter-group "<intermediate-cagroup_name>"

Enter the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb presents to validate the CA signature of the certificate specified by local-cert "<local-cert_name>".

If clients receive certificate warnings that an intermediary CA has signed the server certificate configured in local-cert "<local-cert_name>", rather than by a root CA or other CA currently trusted by the client directly, configure this option.

Alternatively, include the entire signing chain in the server certificate itself before uploading it to the FortiWeb appliance, thereby completing the chain of trust with a CA already known to the client. See the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

No default.

verify "<certificate_verificator_name>"

Enter the name of a certificate verifier, if any, that FortiWeb uses when an HTTP client presents its personal certificate. If you do not select one, the client is not required to present a personal certificate.

Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the website (PKI authentication).

You can require that clients present a certificate alternatively or in addition to HTTP authentication. For details, see waf http-authen http-authen-rule.

To display the list of existing verifiers, enter:

edit ?

Note: The client must support TLS 1.0.

No default.

Related topics