Fortinet black logo

CLI Reference

system certificate verify

system certificate verify

Use this command to configure how the FortiWeb appliance will verify certificates presented by HTTP clients.

To apply a certificate verification rule, select it in a policy. For details, see server-policy policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config system certificate verify

edit "<certificate_verificator_name>"

set ca "<ca-group_name>"

set crl "<crl-group_name>"

set publish-dn {enable | disable}

set strictly-need-cert {enable | disable}

set partial-chain {enable | disable}

next

end

Variable Description Default

"<certificate_verificator_name>"

Enter the name of a certificate verifier. The maximum length is 63 characters. No default.

ca "<ca-group_name>"

Enter the name of an existing CA Group that you want to use to authenticate client certificates. No default.

crl "<crl-group_name>"

Enter the name of an existing CRL Group, if any, to use to verify the revocation status of client certificates. No default.

publish-dn {enable | disable}

Enable to list only certificates related to the specified CA Group. This is beneficial when a client installs many certificates in its browser or when apps don't list client certificates. If you enable this option, also enable the option in a CA Group. For details, see system certificate ca-group.

disable

strictly-need-cert {enable | disable} Enable to strictly require verifying the client certificate. enable

partial-chain {enable | disable}

Enable to do partial certificate chain validation. External clients can be validated by the Intermediate CA only.

When this option is enabled, you also need to enable partial-chain in config system certificate ca-group.

disable

Related topics

system certificate verify

Use this command to configure how the FortiWeb appliance will verify certificates presented by HTTP clients.

To apply a certificate verification rule, select it in a policy. For details, see server-policy policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config system certificate verify

edit "<certificate_verificator_name>"

set ca "<ca-group_name>"

set crl "<crl-group_name>"

set publish-dn {enable | disable}

set strictly-need-cert {enable | disable}

set partial-chain {enable | disable}

next

end

Variable Description Default

"<certificate_verificator_name>"

Enter the name of a certificate verifier. The maximum length is 63 characters. No default.

ca "<ca-group_name>"

Enter the name of an existing CA Group that you want to use to authenticate client certificates. No default.

crl "<crl-group_name>"

Enter the name of an existing CRL Group, if any, to use to verify the revocation status of client certificates. No default.

publish-dn {enable | disable}

Enable to list only certificates related to the specified CA Group. This is beneficial when a client installs many certificates in its browser or when apps don't list client certificates. If you enable this option, also enable the option in a CA Group. For details, see system certificate ca-group.

disable

strictly-need-cert {enable | disable} Enable to strictly require verifying the client certificate. enable

partial-chain {enable | disable}

Enable to do partial certificate chain validation. External clients can be validated by the Intermediate CA only.

When this option is enabled, you also need to enable partial-chain in config system certificate ca-group.

disable

Related topics