Fortinet black logo

Administration Guide

How to offload or inspect HTTPS

How to offload or inspect HTTPS

Whether offloading or merely inspecting for HTTPS, FortiWeb must have a copy of your protected web servers’ X.509 server certificates. FortiWeb also has its own server certificate, which it uses to prove its own identity.

Which certificate will be used, and how, depends on the purpose.

  • For connections to the web UI—The FortiWeb appliance presents its own HTTPS Server Certificate which is used only for connections to the web UI.
A Fortinet factory default certificate is used as the FortiWeb appliance’s HTTPS server certificate. It can be replaced with other certificates. For details, see How to change FortiWeb's default certificate.
  • For SSL offloading or SSL inspection—Server certificates do not belong to the FortiWeb appliance itself, but instead belong to the protected web servers. FortiWeb uses the web server’s certificate because it either acts as an SSL agent for the web server, or is privy to its secure connections for the purpose of scanning. It can be either Local certificates or Let's Encrypt certificates.
    You can select which one the FortiWeb appliance uses when you configure Enable Server Name Indication (SNI) or Certificate in a server policy (see Configuring a server policy), or Certificate File in a server pool (see Uploading a server certificate).
  • For connections to back-end servers—A certificate you specify in a server pool configuration if connections to a pool member require a valid client certificate. For details, see Creating an HTTP server pool.

Local certificates

Server Objects > Certificates > Local displays all X.509 server certificates that are stored locally, on the FortiWeb appliance, for the purpose of offloading or scanning HTTPS.

Generate Click to generate a certificate signing request. For details, see Generating a certificate signing request.
Import Click to upload a certificate. For details, see Uploading a server certificate.
View Certificate Detail Click to view the selected certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions.
Download

Click to download the selected CSR’s entry in certificate signing request (.csr) file format.

This button is disabled unless the currently selected file is a CSR.

Edit Comments Click to add or modify the comment associated with the selected certificate.
(No label. Check box in column heading.)

Click to mark all check boxes in the column, selecting all entries.

To select an individual entry, instead, mark the check box in the entry’s row.

Name Displays the name of the certificate.
Subject

Displays the distinguished name (DN) located in the Subject: field of the certificate.

If the row contains a certificate request which has not yet been signed, this field is empty.

Comments Displays the description of the certificate, if any. Click the Edit Comments icon to add or modify the comment associated with the certificate or certificate signing request.
Status

Displays the status of the certificate.

  • OK—Indicates that the certificate was successfully imported. To use the certificate, select it in a server policy or server pool configuration.
  • PENDING—Indicates that the certificate request has been generated, but must be downloaded, signed, and imported before it can be used as a server certificate.

FortiWeb presents a server certificate when any client requests a secure connection, including when:

  • Administrators connect to the web UI (HTTPS connections only)
  • Clients use SSL or TLS to connect to a virtual server, if you enabled SSL offloading in the policy (HTTPS connections and Reverse Proxy mode only)

Although it does not present a certificate during SSL/TLS inspection, FortiWeb still requires server certificates in order to decrypt and scan HTTPS connections traveling through it (SSL inspection) if operating in any mode except Reverse Proxy. Otherwise, FortiWeb will not be able to scan the traffic, and will not be able to protect that web server.

If you want clients to be able to use HTTPS with your website, but your website does not already have a server certificate to represent its authenticity, you must first generate a certificate signing request. For details, see Generating a certificate signing request. Otherwise, start with Uploading a server certificate.

See also

Let's Encrypt certificates

Instead of uploading CA certificate from your local directory, an easier way is to configure FortiWeb to obtain a CA certificate from Let's encrypt on behalf of you.

Before adding a Let's Encrypt CA certificate, you must:
  • You must have changed the DNS entry to map your domain name with FortiWeb's IP address.
  • You should not block requests from United States in IP Protection > Geo IP Block, otherwise FortiWeb can't retrieve certificates from Let's Encrypt.
To use CA certificate issued by Let's Encrypt:

To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.

  1. Go to Server Objects > Certificates > Letsencrypt.
  2. Enter a name for this certificate.
  3. Enter the domain name of your application. FortiWeb will then retrieve the CA certificate for this domain from Let's encrypt.
  4. Click OK.
  5. Let's Encrypt sends HTTP requests to FortiWeb in order to validate the ownership of the domain name, so it's required that the port 80 is enabled. Perform the following:
    1. When in RP mode, make sure to select HTTP service when configuring server policy.
    2. When in TTP mode, the back-end server which uses Letsencrypt certificate should have port 80 enabled.
  6. Refer the letsencrypt certificate:
    1. When in RP mode, refer it in server policy (see Configuring a server policy), or refer it through an SNI (see Allowing FortiWeb to support multiple server certificates) in server policy.
    2. When in TTP mode, refer it in back-end server, or refer it through an SNI when adding a back-end server. The back-end server should be in the server pool which is referenced in the desired server policy.

FortiWeb obtains an SSL certificate on your behalf from Let’s Encrypt and uses it for the HTTPS connections with the client to encrypt or decrypt the traffic. If FortiWeb fails to obtain the certificate, it will try again every 2 hours until the certificate is successfully obtained.

You can also manually obtain the certificate by clicking the Issue button. FortiWeb will obtain the certificate immediately.
Please note that Let's Encrypt only allows 5 times of certificate obtaining failure per hour for each hostname and account. If the following error message displays, it means you have retrieved the certificate too frequently.

"type": "urn:ietf:params:acme:error:rateLimited",

"detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/"

Renewing the letsencrypt certificate

5 days before your letsencrypt certificate expires, FortiWeb renews it for another 90 days, so it never expires.

To delete the certificate from FortiWeb, click the Revoke button.

Using session keys provided by an HSM

You can integrate FortiWeb with SafeNet Network HSM 7 (hardware security module) to retrieve a per-connection, SSL session key instead of loading the private key and certificate stored on FortiWeb.

caution icon This release supports SafeNet Network HSM 5, 6, and 7 device, and device models older than SafeNet Network HSM 5 are not supported. Do confirm your device model before upgrading FortiWeb.
Before the upgrade, you need to manually delete the original HSM configurations to avoid configuration residual. Otherwise, you need to manually delete the original HSM certificate, HSM partition, and HSM info configurations, and then reconfigure it.

Integration of SafeNet Network HSM 7 with FortiWeb requires specific configuration steps for both appliances, including the following tasks:

  • On the HSM:
    • Create one or more HSM partitions for FortiWeb
    • Send the FortiWeb client certificate to the HSM
    • Register the FortiWeb HSM client to the partition
    • Retrieve the HSM server certificate
  • On FortiWeb:
    • Configure communication with the HSM, including using the server and client certificates to register FortiWeb as a client of the HSM
    • Generate a certificate signing request (CSR) that includes the HSM configuration information
    • Upload the signed certificate to FortiWeb
When configuring your CSR to work with an HSM, the CSR generation process creates a private key on both the HSM and FortiWeb. The private key on the HSM is the "real" key that secures communication when FortiWeb uses the signed certificate. The key found on the FortiWeb is used when you upload the certificate to FortiWeb.

FortiWeb supports integrating a standalone HSM server, and also supports two HSM servers working as HA. The procedures are slightly different for standalone mode and HA mode.

To integrate FortiWeb with SafeNet Network HSM 7 - standalone mode
  1. On HSM - Use the partition create command to create and initialize a new HSM partition that uses password authentication. This is the partition FortiWeb uses on the HSM. FortiWeb supports only one partition.
  2. partition create -par <fortiweb> -pas <fortiweb> -do <fortinet.com>

    For details, see the HSM documentation.

  3. Use an SCP utility and the following command to retrieve the server certificate file from the HSM to local PC.
  4. scp –c aes256-cbc <hsm_username>@<hsm_ip>:server.pem

    <local_pc>/server_<hsm_IP>.pem

  5. On FortiWeb - Log in to CLI, enable the HSM function and the high compatibility mode.
  6. config server-policy setting

    set hsm enable

    set high-compatibility-mode enable

    end

  7. Register FortiWeb to HSM.
    Go to System > Config > HSM, select the HSM Server tab, and complete the following settings:
  8. Server IP Enter the IP address of the HSM.
    Port
    Enter the port where FortiWeb establishes an NTLS connection with the HSM. The default is 1792.
    Timeout Enter a timeout value for the connection between HSM and FortiWeb.
    Upload Server Certificate File Click Choose File and navigate to the server certificate file you retrieved in step 2.
  9. After the creation is completed, go to the HSM server table, select the server, then click Download to download the client certificate file to local PC. Please note that client file is not available to download if the creation is not successful.
  10. Use the SCP utility and the following command to send the downloaded FortiWeb client certificate to the HSM.
  11. scp –c aes256-cbc <local_PC>/<fortiweb_ip>.pem admin@<hsm_ip>:

  12. On HSM - Using SSH, connect to the HSM using the admin account, and then use the following command to register a client for FortiWeb on the HSM.
  13. lunash:> client register -c <client_name> -i <fortiweb_ip>

    where <client_name> is a name you choose that identifies the client.

  14. Use the following command to assign the client you registered to the partition you created earlier:
  15. lunash:> client assignPartition -client <client_name> -partition <partition_name>

    You can verify the assignment using the following command:

    lunash:> client show -client <client_name>

  16. On FortiWeb - Add the partition and password created previously on HSM.
    Go to System > Config > HSM, select the HSM Partition tab, then click Create New and complete the following settings.
  17. Partition Name Enter the name of a partition that the FortiWeb HSM client is assigned to.

    Label

    Enter a label for the partition.

    Server

    Select the HSM server to which this partition belongs.

    Password
    Enter the partition password.
  18. Go to Certificates > Local and click Generate to generate a certificate signing request that references the HSM connection and partition.
  19. For details, see Generating a certificate signing request.

  20. After the HSM-based certificate is signed by CA, go to Certificate > Local and click Import to import it.
  21. For details, see Uploading a server certificate.

  22. To use a certificate, you select it in a policy or server pool configuration. For details, see Configuring a server policy or Creating an HTTP server pool.
To integrate FortiWeb with SafeNet Network HSM 7 - HA mode

FortiWeb supports two HSM servers working as HA. At most eight partitions on the two servers are allowed to be associated with FortiWeb.

  1. On HSM - Use the partition create command to create and initialize a new HSM partition that uses password authentication. This is the partition FortiWeb uses on the HSM. FortiWeb supports only one partition.
  2. partition create -par <fortiweb> -pas <fortiweb> -do <fortinet.com>

    For details, see the HSM documentation.

  3. Use an SCP utility and the following command to retrieve the server certificate file from the HSM to local PC.
  4. scp –c aes256-cbc <hsm_username>@<hsm_ip>:server.pem

    <local_pc>/server_<hsm_IP>.pem

  5. On FortiWeb - Log in to CLI, and run the following commands to enable the HSM function, the high compatibility mode, and the HSM HA mode.
  6. config server-policy setting

    set hsm enable

    set high-compatibility-mode enable

    set hsm-ha enable

    end

  7. Register FortiWeb to HSM.
    Go to System > Config > HSM, select the HSM Server tab, and complete the following settings:
  8. Server IP Enter the IP address of the HSM.
    Port
    Enter the port where FortiWeb establishes a NTLS connection with the HSM. The default is 1792.
    Timeout Enter a timeout value for the connection between HSM and FortiWeb.
    Upload Server Certificate File Click Choose File and navigate to the server certificate file you retrieved in step 2.
  9. After the creation is completed, go to the HSM server table, select the server, then click Download to download the client certificate file to local PC. Please note that client file is not available to download if the creation is not successful.
  10. Use the SCP utility and the following command to send the downloaded FortiWeb client certificate to the HSM.
  11. scp –c aes256-cbc <local_PC>/<fortiweb_ip>.pem admin@<hsm_ip>:

  12. On HSM - Using SSH, connect to the HSM using the admin account, and then use the following command to register a client for FortiWeb on the HSM.
  13. lunash:> client register -c <client_name> -i <fortiweb_ip>

    where <client_name> is a name you choose that identifies the client.

  14. Use the following command to assign the client you registered to the partition you created earlier:
  15. lunash:> client assignPartition -client <client_name> -partition <partition_name>

    You can verify the assignment using the following command:

    lunash:> client show -client <client_name>

  16. On FortiWeb - Add the partition and password created previously on HSM.
    Go to System > Config > HSM, select the HSM Partition tab, then click Create New and complete the following settings.
  17. Partition Name Enter the name of a partition that the FortiWeb HSM client is assigned to.

    Label

    Enter a label for the partition.

    Server

    Select the HSM server to which this partition belongs.

    Password
    Enter the partition password.
  18. Go to Certificates > Local and click Generate to generate a certificate signing request that references the HSM connection and partition.
  19. For details, see Generating a certificate signing request.

  20. After the HSM-based certificate is signed by CA, go to Certificate > Local and click Import to import it.
  21. For details, see Uploading a server certificate.

  22. To use a certificate, you select it in a policy or server pool configuration. For details, see Configuring a server policy or Creating an HTTP server pool.
  23. Go to System > Config > HSM, then select the HSM Group tab.
    1. Click Create New. Enter a name for the server group. Click Save.
    2. Click Create New. Select the HSM partition you have created. Click OK. Repeat this step to add more partitions.

Perform the steps listed above to configure the other HSM server in HA mode. The first added server will be selected as the primary node.

Generating a certificate signing request

Many commercial certificate authorities (CAs) provide a website where you can generate your own certificate signing request (CSR). A CSR is an unsigned certificate file that the CA signs. When you generate a CSR, the associated private key that the appliance uses to sign and/or encrypt connections with clients is also generated.

If your CA does not provide this, or if you have your own private CA such as a Linux server with OpenSSL, you can use the appliance to generate a CSR and private key. Then, you can submit this CSR for verification and signing by the CA.

To generate a certificate request
  1. Go to Server Objects > Certificates > Local.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
  2. Click Generate.
  3. Configure these settings to complete the certificate signing request:
  4. Certification Name Enter a unique name for the certificate request, such as www.example.com. This can be the name of your website.
    Subject Information Includes information that the certificate is required to contain in order to uniquely identify the FortiWeb appliance. This area varies depending on the ID Type selection.
    ID Type

    Select the type of identifier to use in the certificate to identify the FortiWeb appliance:

    • Host IP—Select if the FortiWeb appliance has a static IP address and enter the public IP address of the FortiWeb appliance in the IP field. If the FortiWeb appliance does not have a public IP address, use E-mail or Domain Name instead.
    • Domain Name—Select if the FortiWeb appliance has a static IP address and subscribes to a dynamic DNS service. Enter the FQDN of the FortiWeb appliance, such as www.example.com, in the Domain Name field. Do not include the protocol specification (http://) or any port number or path names.
    • E-Mail—Select and enter the email address of the owner of the FortiWeb appliance in the e-mail field. Use this if the appliance does not require either a static IP address or a domain name.

    The type you should select varies by whether or not your FortiWeb appliance has a static IP address, a fully-qualified domain name (FQDN), and by the primary intended use of the certificate.

    For example, if your FortiWeb appliance has both a static IP address and a domain name, but you will primarily use the local certificate for HTTPS connections to the web UI by the domain name of the FortiWeb appliance, you might prefer to generate a certificate based upon the domain name of the FortiWeb appliance, rather than its IP address.

    Depending on your choice for ID Type, related options appear.

    IP

    Type the static IP address of the FortiWeb appliance, such as 192.0.2.123.

    The IP address should be the one that is visible to clients. Usually, this should be its public IP address on the Internet, or a virtual IP that you use NAT to map to the appliance’s IP address on your private network.

    This option appears only if ID Type is Host IP.

    Domain Name

    Type the fully qualified domain name (FQDN) of the FortiWeb appliance, such as www.example.com.

    The domain name must resolve to the static IP address of the FortiWeb appliance or protected server. For details, see Configuring the network interfaces.

    This option appears only if ID Type is Domain Name.

    E-mail

    Type the email address of the owner of the FortiWeb appliance, such as admin@example.com.

    This option appears only if ID Type is E-Mail.

    Optional Information Includes information that you may include in the certificate, but which is not required.
    Organization unit

    Type the name of your organizational unit (OU), such as the name of your department. This is optional.

    To enter more than one OU name, click the + icon, and enter each OU separately in each field.

    Organization Type the legal name of your organization. This is optional.
    Locality(City) Type the name of the city or town where the FortiWeb appliance is located. This is optional.
    State/Province Type the name of the state or province where the FortiWeb appliance is located. This is optional.
    Country/Region Select the name of the country where the FortiWeb appliance is located. This is optional.
    e-mail

    Type an email address that may be used for contact purposes, such as admin@example.com.

    This is optional.

    Subject Alternative Names Type the Subject Alternative Names to specify additional host names (sites, IP addresses, common names, etc.) to be protected by a single SSL Certificate
    Key Type

    Displays the type of algorithm used to generate the key.

    This option cannot be changed, but appears in order to indicate that only RSA is currently supported.

    Key Size Select a secure key size of 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate, but provide better security.
    HSM Select if the private key for the connections is provided by an HSM instead of FortiWeb.

    Available only if you have enabled HSM settings using the config system global command.

    For details, see Using session keys provided by an HSM.
    Partition Name

    Enter the name of a partition where the private key for this certificate is located on the HSM.

    Available only if Using session keys provided by an HSM is selected.

    If you have enable HSM HA mode, then this option is greyed out because the system will automatically get all the partitions associated with FortiWeb on the HSM HA servers.

    Enrollment Method

    Select either:

    • File Based—You must manually download and submit the resulting certificate request file to a certificate authority (CA) for signing. Once signed, upload the local certificate.
    • Online SCEP—The FortiWeb appliance will automatically use HTTP to submit the request to the simple certificate enrollment protocol (SCEP) server of a CA, which will validate and sign the certificate. For this selection, two options appear. Enter the CA Server URL and the Challenge Password.

      Not available if Using session keys provided by an HSM is selected.
  5. Click OK.
  6. The FortiWeb appliance creates a private and public key pair. The generated request includes the public key of the FortiWeb appliance and information such as the FortiWeb appliance’s IP address, domain name, or email address. The FortiWeb appliance’s private key remains confidential on the FortiWeb appliance. The Status column of the entry is PENDING.

    If you configured your CSR to work with the FortiWeb HSM configuration, the CSR generation process creates a private key both on the HSM and on FortiWeb. The private key on the HSM is used to secure communication when FortiWeb uses the certificate. The FortiWeb private key is used when you upload the certificate to FortiWeb.

  7. Select the row that corresponds to the certificate request.
  8. Click Download.
  9. Standard dialogs appear with buttons to save the file at a location you select. Your web browser downloads the certificate request .csr file. Time required varies by the size of the file and the speed of your network connection.

  10. Upload the certificate request to your CA.
  11. After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.

  12. If you are not using a commercial CA whose root certificate is already installed by default on web browsers, download your CA’s root certificate, then install it on all computers that will be connecting to your appliance. If you do not install these, those computers may not trust your new certificate.
  13. When you receive the signed certificate from the CA, upload the certificate to the FortiWeb appliance. For details, see Uploading a server certificate.

Uploading a server certificate

You also use this process to upload a client certificate for FortiWeb. You add this certificate to a server pool configuration if connections to a pool member require a valid client certificate. For details, see Creating an HTTP server pool.

You can import (upload) either:

  • Base64-encoded
  • PKCS #12 RSA-encrypted

X.509 server certificates and private keys to the FortiWeb appliance.

DSA-encrypted certificates are not supported if the FortiWeb appliance is operating in a mode other than Reverse Proxy. For details, see Supported features in each operation mode.
To upload a certificate
The total file size of all certificates, private keys, and any other uploaded files may not exceed 12 MB.
  1. Go to Server Objects > Certificates > Local.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
  2. Click Import.
  3. Configure these settings:
  4. Type

    Select the type of certificate file to upload, either:

    • Local Certificate—Select this option if the certificate is in PEM or DER format (with extensions such as .pem, .cer, .crt, etc.), and the Certificate Signing Request (CSR) for this certificate is generated on FortiWeb.
      You don't need to import the private key file paired with this certificate because it is already stored on FortiWeb when you generated the CSR.
    • Certificate—Select this option if the certificate is in PEM or DER format (with extensions such as .pem, .cer, .crt, etc.), and the CSR for this certificate is not generated on FortiWeb.
      You need to import the private key file paired with this certificate when you select Certificate.
    • PKCS12 Certificate—Select this option if the certificate is in PKCS12 format.

    Other fields may appear depending on your selection.

    HSM

    Select if you configured the CSR for this certificate to work with an integrated HSM.

    Available only if you have enabled HSM settings using the config system global command.

    , and the key file paired with this certificate is not generated on FortiWeb.

    For details, see Using session keys provided by an HSM.

    Partition Name Enter the name of the HSM partition you selected when you created the CSR for this certificate.

    Available only if Using session keys provided by an HSM is selected.
    Certificate file

    Click Browse to locate the certificate file that you want to upload.

    This option is available only if Type is Certificate or Local Certificate.

    Key file

    Click Browse to locate the key file that you want to upload with the certificate.

    This option is available only if Type is Certificate.

    Certificate with key file

    Click Browse to locate the PKCS #12 certificate-with-key file that you want to upload.

    This option is available only if Type is PKCS12 Certificate.

    Password

    Type the password that was used to encrypt the file, enabling the FortiWeb appliance to decrypt and install the certificate.

    This option is available only if Type is Certificate or PKCS12 Certificate.

  5. Click OK.
  6. To use a certificate, you must select it in a policy or server pool configuration (see Configuring a server policy or Creating an HTTP server pool).
See also

Supplementing a server certificate with its signing chain

If a server certificate is signed by an intermediate certificate authority (CA) rather than a root CA, before clients will trust the server certificate, you must demonstrate a link with root CAs that the clients trust, thereby proving that the server certificate is genuine. You can demonstrate this chain of trust either by:

Which method is best for you often depends on whether you have a convenient method for deploying CA certificates to clients (as you can, for example, in an internal Microsoft Active Directory domain) and whether you often refresh the server certificate.

To append a signing chain in the certificate itself, before uploading the server certificate to the FortiWeb appliance
  1. Open the certificate file in a plain text editor.
  2. Append the certificate of each intermediary CA in order from the intermediary CA who signed the local certificate to the intermediary CA whose certificate was signed directly by a trusted root CA.
  3. For example, a server’s certificate that includes a signing chain might use the following structure:

    -----BEGIN CERTIFICATE-----

    <server certificate>

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    <certificate of intermediate CA 1, who signed the server certificate>

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    <certificate of intermediate CA 2, who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted root CA>

    -----END CERTIFICATE-----

  4. Save the certificate.
  5. Perform the following steps to upload the intermediate CA's certificate to Server Objects > Certificates > Intermediate CA.

If you did not append the signing chain inside the server certificate itself, you must configure the FortiWeb appliance to provide the certificates of intermediate CAs when it presents the server certificate.

To upload an intermediate CA’s certificate
The total file size of all certificates, private keys, and any other uploaded files may not exceed 12 MB.
  1. Go to Server Objects > Certificates > Intermediate CA and select the Intermediate CA tab.
  2. You can click View Certificate Detail to view the selected certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions (purposes).

    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.

  3. To upload a certificate, click Import.
  4. Do one of the following to locate a certificate:
  • Select SCEP and enter the URL of the applicable Simple Certificate Enrollment Protocol server. (SCEP allows routers and other intermediate network devices to obtain certificates.)

    To specify a specific certificate authority, enter an identifier in the field below the URL.

  • Select Local PC, then browse to locate a certificate file.
  • Click OK.
  • Go toServer Objects > Certificates > Intermediate CA and select the Intermediate CA Group tab.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
  • Click Create New.
  • In Name, type a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
  • Click OK.
  • Click Create New.
  • In ID, type the index number of the host entry within the group, or keep the field’s default value of auto to let the FortiWeb appliance automatically assign the next available index number.
  • In CA, select the name of an intermediary CA’s certificate that you previously uploaded and want to add to the group.
  • Click OK.
  • Repeat the previous steps for each intermediary CA certificate that you want to add to the group.
  • To apply an intermediary CA certificate group, select it for Certificate Intermediate Group in a policy that uses HTTPS, with the server certificate that was signed by those CAs. For details, see Configuring a server policy.
  • FortiWeb appliance will present both the server’s certificate and those of the intermediate CAs when establishing a secure connection with the client.

    See also

    Configuring multiple local certificates

    You can now configure RSA, DSA, and ECDSA certificates into Multi-certificate, and reference them in server policy in Reverse Proxy mode and pserver in True Transparent Proxy mode. These certificates are used in SSL connections, which are automatically selected and sent to SSL client according to the SSL cipher negotiated during SSL handshake.

    You can configure all three types of certificates to support the most cipher suites, or one or two of them. In case no RSA certificate is configured, FortiWeb will use default RSA certificate.

    You can select each of the type from local certificates to create a multi-certificate group. Every certificate type corresponds to a set of SSL ciphers.

    To configure a multi-certificate rule
    1. Go to Server Objects > Certificates > Multi-certificate.
    2. Click Create New.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    3. Configure these settings:
    4. Name

      Type a name that can be referenced by other parts of the configuration. Do not use special characters. The maximum length is 63 characters.

      RSA Certificate

      Select the RSA certificate created in Local Certificate.

      DSA Certificate Select the DSA certificate created in Local Certificate.
      ECDSA Certificate Select ECDSA certificate created in Local Certificate.
      Comments Optional. You can add comments accordingly.
    5. Click OK.
    6. Repeat the steps to add multiple certificate rules.
    7. To use the multi-certificate rule, you select it in a server policy. For details, see Configuring a server policy.

    Allowing FortiWeb to support multiple server certificates

    In some cases, servers host multiple secure websites that use a different certificate for each host. To allow FortiWeb to present the appropriate certificate for SSL offloading, you create an inline or offline Server Name Indication (SNI) configuration that identifies the certificate to use by domain. The SNI configuration can also specify the client certificate verification to use for the specified domain, if the host requires it.

    You can select an inline SNI configuration in a server policy only when FortiWeb is operating in Reverse Proxy mode and True Transparent Proxy mode, and an HTTPS configuration is applied to the policy.

    The offline SNI is used in pserver of server pool in Offline Inspection mode or Transparent Inspection mode. FortiWeb uses the server certificate to decrypt SSL-secured connections for the website specified by domain.

    If the server pool is used in the server policy, SSL traffic can not only be decoded by the certificate configured in the server pool, but also by that configured in SNI policy if the server name of the SSL traffic matches the domain of the SNI policy rule.

    Not all web browsers support SNI. Go to the following location for a list of web browsers that support SNI:

    http://en.wikipedia.org/wiki/Server_Name_Indication#Browsers_with_support_for_TLS_server_name_indication.5B10.5D

    To create an inline Server Name Indication (SNI) configuration
    1. Go to Server Objects > Certificates > SNI.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    2. Select Inline SNI.
    3. Click Create New.
    4. For Name, type a name that can be referenced by other parts of the configuration. Do not use special characters. The maximum length is 63 characters.
    5. Click OK.
    6. Click Create New and configure these settings:
    7. Domain Type

      Select Simple String to match a domain to certificates using a literal domain specified in Domain.

      Otherwise, select Regular Expression to match multiple domains to certificates using a regular expression specified in Domain.

      Domain

      Specify the domain of the secure website (HTTPS) that uses the certificate specified by Certificate Type. Enter a literal domain if Simple String is selected in Domain Type, or enter a regular expression if Regular Expression is selected.

      After you fill in the field with a regular expression, you can fine-tune the expression in a Regular Expression Validator by clicking the >> button on the side. For details, see Regular expression syntax.

      Certificate Type

      Local: Select the server certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections for the website specified by Domain. For details, see Uploading a server certificate.

      Multi-certificate: Select the local server certificate created in Server Objects > Certificates > Local > Multi-certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections for the website specified by Domain. For details, see Uploading a server certificate.

      Letsencrypt: Select the Letsencrypt certificate you have created. See Let's Encrypt certificatesLet's Encrypt certificates

      Intermediate CA Group

      Select the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb presents to validate the CA signature of the certificate specified by Certificate Type.

      If clients receive certificate warnings that an intermediary CA has signed the server certificate configured in Certificate Type, rather than by a root CA or other CA currently trusted by the client directly, configure this option.

      For details, see .

      Alternatively, include the entire signing chain in the server certificate itself before you upload it to FortiWeb, which completes the chain of trust with a CA already known to the client. For details, see Uploading a server certificate and Supplementing a server certificate with its signing chain.

      Certificate Verify

      Select the name of a certificate verifier, if any, that FortiWeb uses when an HTTP client presents its personal certificate to the website specified by Domain. If you do not select one, the client is not required to present a personal certificate. For details, see How to apply PKI client authentication (personal certificates).

      Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the website (PKI authentication).

      You can require that clients present a certificate instead of, or in addition to, HTTP authentication. For details, see Offloaded authentication and optional SSO configuration.

      Note: The client must support TLS 1.0.

    8. Click OK.
    9. Repeat the member creation steps to add additional domains and the certificate and verifier associated with them to the inline SNI configuration. A SNI configuration can have up to 256 entries.
    10. To use an inline SNI configuration, you select it in a server policy. For details, see Configuring a server policy.
    To create an offline Server Name Indication (SNI) configuration
    1. Go to Server Objects > Certificates > SNI.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    2. Select System > Offline SNI.
    3. Click Create New.
    4. For Name, type a name that can be referenced by other parts of the configuration. Do not use special characters. The maximum length is 63 characters.
    5. Click OK.
    6. Click Create New and configure these settings:
    7. Domain Type

      Select Simple String to match a domain to certificates using a literal domain specified in Domain.

      Otherwise, select Regular Expression to match multiple domains to certificates using a regular expression specified in Domain.

      Domain

      Specify the domain of the secure website (HTTPS) that uses the certificate specified by Certificate Type. Enter a literal domain if Simple String is selected in Domain Type, or enter a regular expression if Regular Expression is selected.

      After you fill in the field with a regular expression, you can fine-tune the expression in a Regular Expression Validator by clicking the >> button on the side. For details, see Regular expression syntax.

      Local Certificate Select the server certificate that FortiWeb uses to decrypt SSL-secured connections for the website specified by Domain. For details, see Uploading a server certificate.
    8. Click OK.
    9. Repeat the member creation steps to add additional domains and the certificate to the SNI configuration. An offline SNI configuration can have up to 256 entries.
    10. To use an offline SNI configuration, you select it in a server policy. For details, see Configuring a server policy.
    See also

    How to offload or inspect HTTPS

    How to offload or inspect HTTPS

    Whether offloading or merely inspecting for HTTPS, FortiWeb must have a copy of your protected web servers’ X.509 server certificates. FortiWeb also has its own server certificate, which it uses to prove its own identity.

    Which certificate will be used, and how, depends on the purpose.

    • For connections to the web UI—The FortiWeb appliance presents its own HTTPS Server Certificate which is used only for connections to the web UI.
    A Fortinet factory default certificate is used as the FortiWeb appliance’s HTTPS server certificate. It can be replaced with other certificates. For details, see How to change FortiWeb's default certificate.
    • For SSL offloading or SSL inspection—Server certificates do not belong to the FortiWeb appliance itself, but instead belong to the protected web servers. FortiWeb uses the web server’s certificate because it either acts as an SSL agent for the web server, or is privy to its secure connections for the purpose of scanning. It can be either Local certificates or Let's Encrypt certificates.
      You can select which one the FortiWeb appliance uses when you configure Enable Server Name Indication (SNI) or Certificate in a server policy (see Configuring a server policy), or Certificate File in a server pool (see Uploading a server certificate).
    • For connections to back-end servers—A certificate you specify in a server pool configuration if connections to a pool member require a valid client certificate. For details, see Creating an HTTP server pool.

    Local certificates

    Server Objects > Certificates > Local displays all X.509 server certificates that are stored locally, on the FortiWeb appliance, for the purpose of offloading or scanning HTTPS.

    Generate Click to generate a certificate signing request. For details, see Generating a certificate signing request.
    Import Click to upload a certificate. For details, see Uploading a server certificate.
    View Certificate Detail Click to view the selected certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions.
    Download

    Click to download the selected CSR’s entry in certificate signing request (.csr) file format.

    This button is disabled unless the currently selected file is a CSR.

    Edit Comments Click to add or modify the comment associated with the selected certificate.
    (No label. Check box in column heading.)

    Click to mark all check boxes in the column, selecting all entries.

    To select an individual entry, instead, mark the check box in the entry’s row.

    Name Displays the name of the certificate.
    Subject

    Displays the distinguished name (DN) located in the Subject: field of the certificate.

    If the row contains a certificate request which has not yet been signed, this field is empty.

    Comments Displays the description of the certificate, if any. Click the Edit Comments icon to add or modify the comment associated with the certificate or certificate signing request.
    Status

    Displays the status of the certificate.

    • OK—Indicates that the certificate was successfully imported. To use the certificate, select it in a server policy or server pool configuration.
    • PENDING—Indicates that the certificate request has been generated, but must be downloaded, signed, and imported before it can be used as a server certificate.

    FortiWeb presents a server certificate when any client requests a secure connection, including when:

    • Administrators connect to the web UI (HTTPS connections only)
    • Clients use SSL or TLS to connect to a virtual server, if you enabled SSL offloading in the policy (HTTPS connections and Reverse Proxy mode only)

    Although it does not present a certificate during SSL/TLS inspection, FortiWeb still requires server certificates in order to decrypt and scan HTTPS connections traveling through it (SSL inspection) if operating in any mode except Reverse Proxy. Otherwise, FortiWeb will not be able to scan the traffic, and will not be able to protect that web server.

    If you want clients to be able to use HTTPS with your website, but your website does not already have a server certificate to represent its authenticity, you must first generate a certificate signing request. For details, see Generating a certificate signing request. Otherwise, start with Uploading a server certificate.

    See also

    Let's Encrypt certificates

    Instead of uploading CA certificate from your local directory, an easier way is to configure FortiWeb to obtain a CA certificate from Let's encrypt on behalf of you.

    Before adding a Let's Encrypt CA certificate, you must:
    • You must have changed the DNS entry to map your domain name with FortiWeb's IP address.
    • You should not block requests from United States in IP Protection > Geo IP Block, otherwise FortiWeb can't retrieve certificates from Let's Encrypt.
    To use CA certificate issued by Let's Encrypt:

    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.

    1. Go to Server Objects > Certificates > Letsencrypt.
    2. Enter a name for this certificate.
    3. Enter the domain name of your application. FortiWeb will then retrieve the CA certificate for this domain from Let's encrypt.
    4. Click OK.
    5. Let's Encrypt sends HTTP requests to FortiWeb in order to validate the ownership of the domain name, so it's required that the port 80 is enabled. Perform the following:
      1. When in RP mode, make sure to select HTTP service when configuring server policy.
      2. When in TTP mode, the back-end server which uses Letsencrypt certificate should have port 80 enabled.
    6. Refer the letsencrypt certificate:
      1. When in RP mode, refer it in server policy (see Configuring a server policy), or refer it through an SNI (see Allowing FortiWeb to support multiple server certificates) in server policy.
      2. When in TTP mode, refer it in back-end server, or refer it through an SNI when adding a back-end server. The back-end server should be in the server pool which is referenced in the desired server policy.

    FortiWeb obtains an SSL certificate on your behalf from Let’s Encrypt and uses it for the HTTPS connections with the client to encrypt or decrypt the traffic. If FortiWeb fails to obtain the certificate, it will try again every 2 hours until the certificate is successfully obtained.

    You can also manually obtain the certificate by clicking the Issue button. FortiWeb will obtain the certificate immediately.
    Please note that Let's Encrypt only allows 5 times of certificate obtaining failure per hour for each hostname and account. If the following error message displays, it means you have retrieved the certificate too frequently.

    "type": "urn:ietf:params:acme:error:rateLimited",

    "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/"

    Renewing the letsencrypt certificate

    5 days before your letsencrypt certificate expires, FortiWeb renews it for another 90 days, so it never expires.

    To delete the certificate from FortiWeb, click the Revoke button.

    Using session keys provided by an HSM

    You can integrate FortiWeb with SafeNet Network HSM 7 (hardware security module) to retrieve a per-connection, SSL session key instead of loading the private key and certificate stored on FortiWeb.

    caution icon This release supports SafeNet Network HSM 5, 6, and 7 device, and device models older than SafeNet Network HSM 5 are not supported. Do confirm your device model before upgrading FortiWeb.
    Before the upgrade, you need to manually delete the original HSM configurations to avoid configuration residual. Otherwise, you need to manually delete the original HSM certificate, HSM partition, and HSM info configurations, and then reconfigure it.

    Integration of SafeNet Network HSM 7 with FortiWeb requires specific configuration steps for both appliances, including the following tasks:

    • On the HSM:
      • Create one or more HSM partitions for FortiWeb
      • Send the FortiWeb client certificate to the HSM
      • Register the FortiWeb HSM client to the partition
      • Retrieve the HSM server certificate
    • On FortiWeb:
      • Configure communication with the HSM, including using the server and client certificates to register FortiWeb as a client of the HSM
      • Generate a certificate signing request (CSR) that includes the HSM configuration information
      • Upload the signed certificate to FortiWeb
    When configuring your CSR to work with an HSM, the CSR generation process creates a private key on both the HSM and FortiWeb. The private key on the HSM is the "real" key that secures communication when FortiWeb uses the signed certificate. The key found on the FortiWeb is used when you upload the certificate to FortiWeb.

    FortiWeb supports integrating a standalone HSM server, and also supports two HSM servers working as HA. The procedures are slightly different for standalone mode and HA mode.

    To integrate FortiWeb with SafeNet Network HSM 7 - standalone mode
    1. On HSM - Use the partition create command to create and initialize a new HSM partition that uses password authentication. This is the partition FortiWeb uses on the HSM. FortiWeb supports only one partition.
    2. partition create -par <fortiweb> -pas <fortiweb> -do <fortinet.com>

      For details, see the HSM documentation.

    3. Use an SCP utility and the following command to retrieve the server certificate file from the HSM to local PC.
    4. scp –c aes256-cbc <hsm_username>@<hsm_ip>:server.pem

      <local_pc>/server_<hsm_IP>.pem

    5. On FortiWeb - Log in to CLI, enable the HSM function and the high compatibility mode.
    6. config server-policy setting

      set hsm enable

      set high-compatibility-mode enable

      end

    7. Register FortiWeb to HSM.
      Go to System > Config > HSM, select the HSM Server tab, and complete the following settings:
    8. Server IP Enter the IP address of the HSM.
      Port
      Enter the port where FortiWeb establishes an NTLS connection with the HSM. The default is 1792.
      Timeout Enter a timeout value for the connection between HSM and FortiWeb.
      Upload Server Certificate File Click Choose File and navigate to the server certificate file you retrieved in step 2.
    9. After the creation is completed, go to the HSM server table, select the server, then click Download to download the client certificate file to local PC. Please note that client file is not available to download if the creation is not successful.
    10. Use the SCP utility and the following command to send the downloaded FortiWeb client certificate to the HSM.
    11. scp –c aes256-cbc <local_PC>/<fortiweb_ip>.pem admin@<hsm_ip>:

    12. On HSM - Using SSH, connect to the HSM using the admin account, and then use the following command to register a client for FortiWeb on the HSM.
    13. lunash:> client register -c <client_name> -i <fortiweb_ip>

      where <client_name> is a name you choose that identifies the client.

    14. Use the following command to assign the client you registered to the partition you created earlier:
    15. lunash:> client assignPartition -client <client_name> -partition <partition_name>

      You can verify the assignment using the following command:

      lunash:> client show -client <client_name>

    16. On FortiWeb - Add the partition and password created previously on HSM.
      Go to System > Config > HSM, select the HSM Partition tab, then click Create New and complete the following settings.
    17. Partition Name Enter the name of a partition that the FortiWeb HSM client is assigned to.

      Label

      Enter a label for the partition.

      Server

      Select the HSM server to which this partition belongs.

      Password
      Enter the partition password.
    18. Go to Certificates > Local and click Generate to generate a certificate signing request that references the HSM connection and partition.
    19. For details, see Generating a certificate signing request.

    20. After the HSM-based certificate is signed by CA, go to Certificate > Local and click Import to import it.
    21. For details, see Uploading a server certificate.

    22. To use a certificate, you select it in a policy or server pool configuration. For details, see Configuring a server policy or Creating an HTTP server pool.
    To integrate FortiWeb with SafeNet Network HSM 7 - HA mode

    FortiWeb supports two HSM servers working as HA. At most eight partitions on the two servers are allowed to be associated with FortiWeb.

    1. On HSM - Use the partition create command to create and initialize a new HSM partition that uses password authentication. This is the partition FortiWeb uses on the HSM. FortiWeb supports only one partition.
    2. partition create -par <fortiweb> -pas <fortiweb> -do <fortinet.com>

      For details, see the HSM documentation.

    3. Use an SCP utility and the following command to retrieve the server certificate file from the HSM to local PC.
    4. scp –c aes256-cbc <hsm_username>@<hsm_ip>:server.pem

      <local_pc>/server_<hsm_IP>.pem

    5. On FortiWeb - Log in to CLI, and run the following commands to enable the HSM function, the high compatibility mode, and the HSM HA mode.
    6. config server-policy setting

      set hsm enable

      set high-compatibility-mode enable

      set hsm-ha enable

      end

    7. Register FortiWeb to HSM.
      Go to System > Config > HSM, select the HSM Server tab, and complete the following settings:
    8. Server IP Enter the IP address of the HSM.
      Port
      Enter the port where FortiWeb establishes a NTLS connection with the HSM. The default is 1792.
      Timeout Enter a timeout value for the connection between HSM and FortiWeb.
      Upload Server Certificate File Click Choose File and navigate to the server certificate file you retrieved in step 2.
    9. After the creation is completed, go to the HSM server table, select the server, then click Download to download the client certificate file to local PC. Please note that client file is not available to download if the creation is not successful.
    10. Use the SCP utility and the following command to send the downloaded FortiWeb client certificate to the HSM.
    11. scp –c aes256-cbc <local_PC>/<fortiweb_ip>.pem admin@<hsm_ip>:

    12. On HSM - Using SSH, connect to the HSM using the admin account, and then use the following command to register a client for FortiWeb on the HSM.
    13. lunash:> client register -c <client_name> -i <fortiweb_ip>

      where <client_name> is a name you choose that identifies the client.

    14. Use the following command to assign the client you registered to the partition you created earlier:
    15. lunash:> client assignPartition -client <client_name> -partition <partition_name>

      You can verify the assignment using the following command:

      lunash:> client show -client <client_name>

    16. On FortiWeb - Add the partition and password created previously on HSM.
      Go to System > Config > HSM, select the HSM Partition tab, then click Create New and complete the following settings.
    17. Partition Name Enter the name of a partition that the FortiWeb HSM client is assigned to.

      Label

      Enter a label for the partition.

      Server

      Select the HSM server to which this partition belongs.

      Password
      Enter the partition password.
    18. Go to Certificates > Local and click Generate to generate a certificate signing request that references the HSM connection and partition.
    19. For details, see Generating a certificate signing request.

    20. After the HSM-based certificate is signed by CA, go to Certificate > Local and click Import to import it.
    21. For details, see Uploading a server certificate.

    22. To use a certificate, you select it in a policy or server pool configuration. For details, see Configuring a server policy or Creating an HTTP server pool.
    23. Go to System > Config > HSM, then select the HSM Group tab.
      1. Click Create New. Enter a name for the server group. Click Save.
      2. Click Create New. Select the HSM partition you have created. Click OK. Repeat this step to add more partitions.

    Perform the steps listed above to configure the other HSM server in HA mode. The first added server will be selected as the primary node.

    Generating a certificate signing request

    Many commercial certificate authorities (CAs) provide a website where you can generate your own certificate signing request (CSR). A CSR is an unsigned certificate file that the CA signs. When you generate a CSR, the associated private key that the appliance uses to sign and/or encrypt connections with clients is also generated.

    If your CA does not provide this, or if you have your own private CA such as a Linux server with OpenSSL, you can use the appliance to generate a CSR and private key. Then, you can submit this CSR for verification and signing by the CA.

    To generate a certificate request
    1. Go to Server Objects > Certificates > Local.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    2. Click Generate.
    3. Configure these settings to complete the certificate signing request:
    4. Certification Name Enter a unique name for the certificate request, such as www.example.com. This can be the name of your website.
      Subject Information Includes information that the certificate is required to contain in order to uniquely identify the FortiWeb appliance. This area varies depending on the ID Type selection.
      ID Type

      Select the type of identifier to use in the certificate to identify the FortiWeb appliance:

      • Host IP—Select if the FortiWeb appliance has a static IP address and enter the public IP address of the FortiWeb appliance in the IP field. If the FortiWeb appliance does not have a public IP address, use E-mail or Domain Name instead.
      • Domain Name—Select if the FortiWeb appliance has a static IP address and subscribes to a dynamic DNS service. Enter the FQDN of the FortiWeb appliance, such as www.example.com, in the Domain Name field. Do not include the protocol specification (http://) or any port number or path names.
      • E-Mail—Select and enter the email address of the owner of the FortiWeb appliance in the e-mail field. Use this if the appliance does not require either a static IP address or a domain name.

      The type you should select varies by whether or not your FortiWeb appliance has a static IP address, a fully-qualified domain name (FQDN), and by the primary intended use of the certificate.

      For example, if your FortiWeb appliance has both a static IP address and a domain name, but you will primarily use the local certificate for HTTPS connections to the web UI by the domain name of the FortiWeb appliance, you might prefer to generate a certificate based upon the domain name of the FortiWeb appliance, rather than its IP address.

      Depending on your choice for ID Type, related options appear.

      IP

      Type the static IP address of the FortiWeb appliance, such as 192.0.2.123.

      The IP address should be the one that is visible to clients. Usually, this should be its public IP address on the Internet, or a virtual IP that you use NAT to map to the appliance’s IP address on your private network.

      This option appears only if ID Type is Host IP.

      Domain Name

      Type the fully qualified domain name (FQDN) of the FortiWeb appliance, such as www.example.com.

      The domain name must resolve to the static IP address of the FortiWeb appliance or protected server. For details, see Configuring the network interfaces.

      This option appears only if ID Type is Domain Name.

      E-mail

      Type the email address of the owner of the FortiWeb appliance, such as admin@example.com.

      This option appears only if ID Type is E-Mail.

      Optional Information Includes information that you may include in the certificate, but which is not required.
      Organization unit

      Type the name of your organizational unit (OU), such as the name of your department. This is optional.

      To enter more than one OU name, click the + icon, and enter each OU separately in each field.

      Organization Type the legal name of your organization. This is optional.
      Locality(City) Type the name of the city or town where the FortiWeb appliance is located. This is optional.
      State/Province Type the name of the state or province where the FortiWeb appliance is located. This is optional.
      Country/Region Select the name of the country where the FortiWeb appliance is located. This is optional.
      e-mail

      Type an email address that may be used for contact purposes, such as admin@example.com.

      This is optional.

      Subject Alternative Names Type the Subject Alternative Names to specify additional host names (sites, IP addresses, common names, etc.) to be protected by a single SSL Certificate
      Key Type

      Displays the type of algorithm used to generate the key.

      This option cannot be changed, but appears in order to indicate that only RSA is currently supported.

      Key Size Select a secure key size of 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate, but provide better security.
      HSM Select if the private key for the connections is provided by an HSM instead of FortiWeb.

      Available only if you have enabled HSM settings using the config system global command.

      For details, see Using session keys provided by an HSM.
      Partition Name

      Enter the name of a partition where the private key for this certificate is located on the HSM.

      Available only if Using session keys provided by an HSM is selected.

      If you have enable HSM HA mode, then this option is greyed out because the system will automatically get all the partitions associated with FortiWeb on the HSM HA servers.

      Enrollment Method

      Select either:

      • File Based—You must manually download and submit the resulting certificate request file to a certificate authority (CA) for signing. Once signed, upload the local certificate.
      • Online SCEP—The FortiWeb appliance will automatically use HTTP to submit the request to the simple certificate enrollment protocol (SCEP) server of a CA, which will validate and sign the certificate. For this selection, two options appear. Enter the CA Server URL and the Challenge Password.

        Not available if Using session keys provided by an HSM is selected.
    5. Click OK.
    6. The FortiWeb appliance creates a private and public key pair. The generated request includes the public key of the FortiWeb appliance and information such as the FortiWeb appliance’s IP address, domain name, or email address. The FortiWeb appliance’s private key remains confidential on the FortiWeb appliance. The Status column of the entry is PENDING.

      If you configured your CSR to work with the FortiWeb HSM configuration, the CSR generation process creates a private key both on the HSM and on FortiWeb. The private key on the HSM is used to secure communication when FortiWeb uses the certificate. The FortiWeb private key is used when you upload the certificate to FortiWeb.

    7. Select the row that corresponds to the certificate request.
    8. Click Download.
    9. Standard dialogs appear with buttons to save the file at a location you select. Your web browser downloads the certificate request .csr file. Time required varies by the size of the file and the speed of your network connection.

    10. Upload the certificate request to your CA.
    11. After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.

    12. If you are not using a commercial CA whose root certificate is already installed by default on web browsers, download your CA’s root certificate, then install it on all computers that will be connecting to your appliance. If you do not install these, those computers may not trust your new certificate.
    13. When you receive the signed certificate from the CA, upload the certificate to the FortiWeb appliance. For details, see Uploading a server certificate.

    Uploading a server certificate

    You also use this process to upload a client certificate for FortiWeb. You add this certificate to a server pool configuration if connections to a pool member require a valid client certificate. For details, see Creating an HTTP server pool.

    You can import (upload) either:

    • Base64-encoded
    • PKCS #12 RSA-encrypted

    X.509 server certificates and private keys to the FortiWeb appliance.

    DSA-encrypted certificates are not supported if the FortiWeb appliance is operating in a mode other than Reverse Proxy. For details, see Supported features in each operation mode.
    To upload a certificate
    The total file size of all certificates, private keys, and any other uploaded files may not exceed 12 MB.
    1. Go to Server Objects > Certificates > Local.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    2. Click Import.
    3. Configure these settings:
    4. Type

      Select the type of certificate file to upload, either:

      • Local Certificate—Select this option if the certificate is in PEM or DER format (with extensions such as .pem, .cer, .crt, etc.), and the Certificate Signing Request (CSR) for this certificate is generated on FortiWeb.
        You don't need to import the private key file paired with this certificate because it is already stored on FortiWeb when you generated the CSR.
      • Certificate—Select this option if the certificate is in PEM or DER format (with extensions such as .pem, .cer, .crt, etc.), and the CSR for this certificate is not generated on FortiWeb.
        You need to import the private key file paired with this certificate when you select Certificate.
      • PKCS12 Certificate—Select this option if the certificate is in PKCS12 format.

      Other fields may appear depending on your selection.

      HSM

      Select if you configured the CSR for this certificate to work with an integrated HSM.

      Available only if you have enabled HSM settings using the config system global command.

      , and the key file paired with this certificate is not generated on FortiWeb.

      For details, see Using session keys provided by an HSM.

      Partition Name Enter the name of the HSM partition you selected when you created the CSR for this certificate.

      Available only if Using session keys provided by an HSM is selected.
      Certificate file

      Click Browse to locate the certificate file that you want to upload.

      This option is available only if Type is Certificate or Local Certificate.

      Key file

      Click Browse to locate the key file that you want to upload with the certificate.

      This option is available only if Type is Certificate.

      Certificate with key file

      Click Browse to locate the PKCS #12 certificate-with-key file that you want to upload.

      This option is available only if Type is PKCS12 Certificate.

      Password

      Type the password that was used to encrypt the file, enabling the FortiWeb appliance to decrypt and install the certificate.

      This option is available only if Type is Certificate or PKCS12 Certificate.

    5. Click OK.
    6. To use a certificate, you must select it in a policy or server pool configuration (see Configuring a server policy or Creating an HTTP server pool).
    See also

    Supplementing a server certificate with its signing chain

    If a server certificate is signed by an intermediate certificate authority (CA) rather than a root CA, before clients will trust the server certificate, you must demonstrate a link with root CAs that the clients trust, thereby proving that the server certificate is genuine. You can demonstrate this chain of trust either by:

    Which method is best for you often depends on whether you have a convenient method for deploying CA certificates to clients (as you can, for example, in an internal Microsoft Active Directory domain) and whether you often refresh the server certificate.

    To append a signing chain in the certificate itself, before uploading the server certificate to the FortiWeb appliance
    1. Open the certificate file in a plain text editor.
    2. Append the certificate of each intermediary CA in order from the intermediary CA who signed the local certificate to the intermediary CA whose certificate was signed directly by a trusted root CA.
    3. For example, a server’s certificate that includes a signing chain might use the following structure:

      -----BEGIN CERTIFICATE-----

      <server certificate>

      -----END CERTIFICATE-----

      -----BEGIN CERTIFICATE-----

      <certificate of intermediate CA 1, who signed the server certificate>

      -----END CERTIFICATE-----

      -----BEGIN CERTIFICATE-----

      <certificate of intermediate CA 2, who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted root CA>

      -----END CERTIFICATE-----

    4. Save the certificate.
    5. Perform the following steps to upload the intermediate CA's certificate to Server Objects > Certificates > Intermediate CA.

    If you did not append the signing chain inside the server certificate itself, you must configure the FortiWeb appliance to provide the certificates of intermediate CAs when it presents the server certificate.

    To upload an intermediate CA’s certificate
    The total file size of all certificates, private keys, and any other uploaded files may not exceed 12 MB.
    1. Go to Server Objects > Certificates > Intermediate CA and select the Intermediate CA tab.
    2. You can click View Certificate Detail to view the selected certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions (purposes).

      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.

    3. To upload a certificate, click Import.
    4. Do one of the following to locate a certificate:
    • Select SCEP and enter the URL of the applicable Simple Certificate Enrollment Protocol server. (SCEP allows routers and other intermediate network devices to obtain certificates.)

      To specify a specific certificate authority, enter an identifier in the field below the URL.

    • Select Local PC, then browse to locate a certificate file.
  • Click OK.
  • Go toServer Objects > Certificates > Intermediate CA and select the Intermediate CA Group tab.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
  • Click Create New.
  • In Name, type a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
  • Click OK.
  • Click Create New.
  • In ID, type the index number of the host entry within the group, or keep the field’s default value of auto to let the FortiWeb appliance automatically assign the next available index number.
  • In CA, select the name of an intermediary CA’s certificate that you previously uploaded and want to add to the group.
  • Click OK.
  • Repeat the previous steps for each intermediary CA certificate that you want to add to the group.
  • To apply an intermediary CA certificate group, select it for Certificate Intermediate Group in a policy that uses HTTPS, with the server certificate that was signed by those CAs. For details, see Configuring a server policy.
  • FortiWeb appliance will present both the server’s certificate and those of the intermediate CAs when establishing a secure connection with the client.

    See also

    Configuring multiple local certificates

    You can now configure RSA, DSA, and ECDSA certificates into Multi-certificate, and reference them in server policy in Reverse Proxy mode and pserver in True Transparent Proxy mode. These certificates are used in SSL connections, which are automatically selected and sent to SSL client according to the SSL cipher negotiated during SSL handshake.

    You can configure all three types of certificates to support the most cipher suites, or one or two of them. In case no RSA certificate is configured, FortiWeb will use default RSA certificate.

    You can select each of the type from local certificates to create a multi-certificate group. Every certificate type corresponds to a set of SSL ciphers.

    To configure a multi-certificate rule
    1. Go to Server Objects > Certificates > Multi-certificate.
    2. Click Create New.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    3. Configure these settings:
    4. Name

      Type a name that can be referenced by other parts of the configuration. Do not use special characters. The maximum length is 63 characters.

      RSA Certificate

      Select the RSA certificate created in Local Certificate.

      DSA Certificate Select the DSA certificate created in Local Certificate.
      ECDSA Certificate Select ECDSA certificate created in Local Certificate.
      Comments Optional. You can add comments accordingly.
    5. Click OK.
    6. Repeat the steps to add multiple certificate rules.
    7. To use the multi-certificate rule, you select it in a server policy. For details, see Configuring a server policy.

    Allowing FortiWeb to support multiple server certificates

    In some cases, servers host multiple secure websites that use a different certificate for each host. To allow FortiWeb to present the appropriate certificate for SSL offloading, you create an inline or offline Server Name Indication (SNI) configuration that identifies the certificate to use by domain. The SNI configuration can also specify the client certificate verification to use for the specified domain, if the host requires it.

    You can select an inline SNI configuration in a server policy only when FortiWeb is operating in Reverse Proxy mode and True Transparent Proxy mode, and an HTTPS configuration is applied to the policy.

    The offline SNI is used in pserver of server pool in Offline Inspection mode or Transparent Inspection mode. FortiWeb uses the server certificate to decrypt SSL-secured connections for the website specified by domain.

    If the server pool is used in the server policy, SSL traffic can not only be decoded by the certificate configured in the server pool, but also by that configured in SNI policy if the server name of the SSL traffic matches the domain of the SNI policy rule.

    Not all web browsers support SNI. Go to the following location for a list of web browsers that support SNI:

    http://en.wikipedia.org/wiki/Server_Name_Indication#Browsers_with_support_for_TLS_server_name_indication.5B10.5D

    To create an inline Server Name Indication (SNI) configuration
    1. Go to Server Objects > Certificates > SNI.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    2. Select Inline SNI.
    3. Click Create New.
    4. For Name, type a name that can be referenced by other parts of the configuration. Do not use special characters. The maximum length is 63 characters.
    5. Click OK.
    6. Click Create New and configure these settings:
    7. Domain Type

      Select Simple String to match a domain to certificates using a literal domain specified in Domain.

      Otherwise, select Regular Expression to match multiple domains to certificates using a regular expression specified in Domain.

      Domain

      Specify the domain of the secure website (HTTPS) that uses the certificate specified by Certificate Type. Enter a literal domain if Simple String is selected in Domain Type, or enter a regular expression if Regular Expression is selected.

      After you fill in the field with a regular expression, you can fine-tune the expression in a Regular Expression Validator by clicking the >> button on the side. For details, see Regular expression syntax.

      Certificate Type

      Local: Select the server certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections for the website specified by Domain. For details, see Uploading a server certificate.

      Multi-certificate: Select the local server certificate created in Server Objects > Certificates > Local > Multi-certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections for the website specified by Domain. For details, see Uploading a server certificate.

      Letsencrypt: Select the Letsencrypt certificate you have created. See Let's Encrypt certificatesLet's Encrypt certificates

      Intermediate CA Group

      Select the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb presents to validate the CA signature of the certificate specified by Certificate Type.

      If clients receive certificate warnings that an intermediary CA has signed the server certificate configured in Certificate Type, rather than by a root CA or other CA currently trusted by the client directly, configure this option.

      For details, see .

      Alternatively, include the entire signing chain in the server certificate itself before you upload it to FortiWeb, which completes the chain of trust with a CA already known to the client. For details, see Uploading a server certificate and Supplementing a server certificate with its signing chain.

      Certificate Verify

      Select the name of a certificate verifier, if any, that FortiWeb uses when an HTTP client presents its personal certificate to the website specified by Domain. If you do not select one, the client is not required to present a personal certificate. For details, see How to apply PKI client authentication (personal certificates).

      Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the website (PKI authentication).

      You can require that clients present a certificate instead of, or in addition to, HTTP authentication. For details, see Offloaded authentication and optional SSO configuration.

      Note: The client must support TLS 1.0.

    8. Click OK.
    9. Repeat the member creation steps to add additional domains and the certificate and verifier associated with them to the inline SNI configuration. A SNI configuration can have up to 256 entries.
    10. To use an inline SNI configuration, you select it in a server policy. For details, see Configuring a server policy.
    To create an offline Server Name Indication (SNI) configuration
    1. Go to Server Objects > Certificates > SNI.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    2. Select System > Offline SNI.
    3. Click Create New.
    4. For Name, type a name that can be referenced by other parts of the configuration. Do not use special characters. The maximum length is 63 characters.
    5. Click OK.
    6. Click Create New and configure these settings:
    7. Domain Type

      Select Simple String to match a domain to certificates using a literal domain specified in Domain.

      Otherwise, select Regular Expression to match multiple domains to certificates using a regular expression specified in Domain.

      Domain

      Specify the domain of the secure website (HTTPS) that uses the certificate specified by Certificate Type. Enter a literal domain if Simple String is selected in Domain Type, or enter a regular expression if Regular Expression is selected.

      After you fill in the field with a regular expression, you can fine-tune the expression in a Regular Expression Validator by clicking the >> button on the side. For details, see Regular expression syntax.

      Local Certificate Select the server certificate that FortiWeb uses to decrypt SSL-secured connections for the website specified by Domain. For details, see Uploading a server certificate.
    8. Click OK.
    9. Repeat the member creation steps to add additional domains and the certificate to the SNI configuration. An offline SNI configuration can have up to 256 entries.
    10. To use an offline SNI configuration, you select it in a server policy. For details, see Configuring a server policy.
    See also