Uploading a server certificate
You also use this process to upload a client certificate for FortiWeb. You add this certificate to a server pool configuration if connections to a pool member require a valid client certificate. For details, see Creating an HTTP server pool.
You can import (upload) either:
- Base64-encoded
- PKCS #12 RSA-encrypted
X.509 server certificates and private keys to the FortiWeb appliance.
DSA-encrypted certificates are not supported if the FortiWeb appliance is operating in a mode other than Reverse Proxy. For details, see Supported features in each operation mode. |
To upload a certificate
The total file size of all certificates, private keys, and any other uploaded files may not exceed 12 MB. |
- Go to Server Objects > Certificates > Local.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions. - Click Import.
- Configure these settings:
- Local Certificate—Select this option if the certificate is in PEM or DER format (with extensions such as .pem, .cer, .crt, etc.), and the Certificate Signing Request (CSR) for this certificate is generated on FortiWeb.
You don't need to import the private key file paired with this certificate because it is already stored on FortiWeb when you generated the CSR. - Certificate—Select this option if the certificate is in PEM or DER format (with extensions such as .pem, .cer, .crt, etc.), and the CSR for this certificate is not generated on FortiWeb.
You need to import the private key file paired with this certificate when you select Certificate. - PKCS12 Certificate—Select this option if the certificate is in PKCS12 format.
- Click OK.
- To use a certificate, you must select it in a policy or server pool configuration (see Configuring a server policy or Creating an HTTP server pool).
Type |
Select the type of certificate file to upload, either: Other fields may appear depending on your selection. |
HSM |
Select if you configured the CSR for this certificate to work with an integrated HSM. , and the key file paired with this certificate is not generated on FortiWeb. |
Partition Name | Enter the name of the HSM partition you selected when you created the CSR for this certificate. Available only if HSM is selected. |
Certificate file |
Click Browse to locate the certificate file that you want to upload. This option is available only if Type is Certificate or Local Certificate. |
Key file |
Click Browse to locate the key file that you want to upload with the certificate. This option is available only if Type is Certificate. |
Certificate with key file |
Click Browse to locate the PKCS #12 certificate-with-key file that you want to upload. This option is available only if Type is PKCS12 Certificate. |
Password |
Type the password that was used to encrypt the file, enabling the FortiWeb appliance to decrypt and install the certificate. This option is available only if Type is Certificate or PKCS12 Certificate. |
See also
- Supplementing a server certificate with its signing chain
- Configuring a server policy
- Creating an HTTP server pool
- Uploading a server certificate
Supplementing a server certificate with its signing chain
If a server certificate is signed by an intermediate certificate authority (CA) rather than a root CA, before clients will trust the server certificate, you must demonstrate a link with root CAs that the clients trust, thereby proving that the server certificate is genuine. You can demonstrate this chain of trust either by:
- Uploading and configuring a signing chain separately. See To upload an intermediate CA’s certificate.
- Appending a signing chain in the server certificate. For details, see To append a signing chain in the certificate itself, before uploading the server certificate to the FortiWeb appliance.
- Installing each intermediary CA’s certificate in clients’ trust stores (list of trusted CAs).
Which method is best for you often depends on whether you have a convenient method for deploying CA certificates to clients (as you can, for example, in an internal Microsoft Active Directory domain) and whether you often refresh the server certificate.
To append a signing chain in the certificate itself, before uploading the server certificate to the FortiWeb appliance
- Open the certificate file in a plain text editor.
- Append the certificate of each intermediary CA in order from the intermediary CA who signed the local certificate to the intermediary CA whose certificate was signed directly by a trusted root CA.
- Save the certificate.
- Perform the following steps to upload the intermediate CA's certificate to Server Objects > Certificates > Intermediate CA.
For example, a server’s certificate that includes a signing chain might use the following structure:
-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<certificate of intermediate CA 1, who signed the server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<certificate of intermediate CA 2, who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted root CA>
-----END CERTIFICATE-----
If you did not append the signing chain inside the server certificate itself, you must configure the FortiWeb appliance to provide the certificates of intermediate CAs when it presents the server certificate.
To upload an intermediate CA’s certificate
The total file size of all certificates, private keys, and any other uploaded files may not exceed 12 MB. |
- Go to Server Objects > Certificates > Intermediate CA and select the Intermediate CA tab.
- To upload a certificate, click Import.
- Do one of the following to locate a certificate:
You can click View Certificate Detail to view the selected certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions (purposes).
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
-
Select SCEP and enter the URL of the applicable Simple Certificate Enrollment Protocol server. (SCEP allows routers and other intermediate network devices to obtain certificates.)
To specify a specific certificate authority, enter an identifier in the field below the URL.
- Select Local PC, then browse to locate a certificate file.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
auto
to let the FortiWeb appliance automatically assign the next available index number.FortiWeb appliance will present both the server’s certificate and those of the intermediate CAs when establishing a secure connection with the client.
See also
- Supplementing a server certificate with its signing chain
- How operation mode affects server policy behavior
Configuring multiple local certificates
You can now configure RSA, DSA, and ECDSA certificates into Multi-certificate, and reference them in server policy in Reverse Proxy mode and pserver in True Transparent Proxy mode. These certificates are used in SSL connections, which are automatically selected and sent to SSL client according to the SSL cipher negotiated during SSL handshake.
You can configure all three types of certificates to support the most cipher suites, or one or two of them. In case no RSA certificate is configured, FortiWeb will use default RSA certificate.
You can select each of the type from local certificates to create a multi-certificate group. Every certificate type corresponds to a set of SSL ciphers.
To configure a multi-certificate rule
- Go to Server Objects > Certificates > Multi-certificate.
- Click Create New.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions. - Configure these settings:
-
Name Type a name that can be referenced by other parts of the configuration. Do not use special characters. The maximum length is 63 characters.
RSA Certificate Select the RSA certificate created in Local Certificate.
DSA Certificate Select the DSA certificate created in Local Certificate. ECDSA Certificate Select ECDSA certificate created in Local Certificate. Comments Optional. You can add comments accordingly. - Click OK.
- Repeat the steps to add multiple certificate rules.
- To use the multi-certificate rule, you select it in a server policy. For details, see Configuring a server policy.
Allowing FortiWeb to support multiple server certificates
In some cases, servers host multiple secure websites that use a different certificate for each host. To allow FortiWeb to present the appropriate certificate for SSL offloading, you create an inline or offline Server Name Indication (SNI) configuration that identifies the certificate to use by domain. The SNI configuration can also specify the client certificate verification to use for the specified domain, if the host requires it.
You can select an inline SNI configuration in a server policy only when FortiWeb is operating in Reverse Proxy mode and True Transparent Proxy mode, and an HTTPS configuration is applied to the policy.
The offline SNI is used in pserver of server pool in Offline Inspection mode or Transparent Inspection mode. FortiWeb uses the server certificate to decrypt SSL-secured connections for the website specified by domain.
If the server pool is used in the server policy, SSL traffic can not only be decoded by the certificate configured in the server pool, but also by that configured in SNI policy if the server name of the SSL traffic matches the domain of the SNI policy rule.
Not all web browsers support SNI. Go to the following location for a list of web browsers that support SNI:
HTTP://en.wikipedia.org/wiki/Server_Name_Indication#Browsers_with_support_for_TLS_server_name_indication.5B10.5D
To create an inline Server Name Indication (SNI) configuration
- Go to Server Objects > Certificates > SNI.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions. - Select Inline SNI.
- Click Create New.
- For Name, type a name that can be referenced by other parts of the configuration. Do not use special characters. The maximum length is 63 characters.
- Click OK.
- Click Create New and configure these settings:
- Click OK.
- Repeat the member creation steps to add additional domains and the certificate and verifier associated with them to the inline SNI configuration. A SNI configuration can have up to 256 entries.
- To use an inline SNI configuration, you select it in a server policy. For details, see Configuring a server policy.
Domain Type |
Select Simple String to match a domain to certificates using a literal domain specified in Domain. Otherwise, select Regular Expression to match multiple domains to certificates using a regular expression specified in Domain. |
Domain |
Specify the domain of the secure website (HTTPS) that uses the certificate specified by Certificate Type. Enter a literal domain if Simple String is selected in Domain Type, or enter a regular expression if Regular Expression is selected. After you fill in the field with a regular expression, you can fine-tune the expression in a Regular Expression Validator by clicking the >> button on the side. For details, see Regular expression syntax. |
Certificate Type |
Local: Select the server certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections for the website specified by Domain. For details, see Uploading a server certificate. Multi-certificate: Select the local server certificate created in Server Objects > Certificates > Local > Multi-certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections for the website specified by Domain. For details, see Uploading a server certificate. Letsencrypt: Select the Letsencrypt certificate you have created. See Uploading a server certificateLet's Encrypt certificates |
Intermediate CA Group |
Select the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb presents to validate the CA signature of the certificate specified by Certificate Type. If clients receive certificate warnings that an intermediary CA has signed the server certificate configured in Certificate Type, rather than by a root CA or other CA currently trusted by the client directly, configure this option. Alternatively, include the entire signing chain in the server certificate itself before you upload it to FortiWeb, which completes the chain of trust with a CA already known to the client. For details, see Uploading a server certificate and Supplementing a server certificate with its signing chain. |
Certificate Verify |
Select the name of a certificate verifier, if any, that FortiWeb uses when an HTTP client presents its personal certificate to the website specified by Domain. If you do not select one, the client is not required to present a personal certificate. For details, see How to apply PKI client authentication (personal certificates). Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the website (PKI authentication). You can require that clients present a certificate instead of, or in addition to, HTTP authentication. For details, see Offloaded authentication and optional SSO configuration. Note: The client must support TLS 1.0. |
To create an offline Server Name Indication (SNI) configuration
- Go to Server Objects > Certificates > SNI.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions. - Select System > Offline SNI.
- Click Create New.
- For Name, type a name that can be referenced by other parts of the configuration. Do not use special characters. The maximum length is 63 characters.
- Click OK.
- Click Create New and configure these settings:
- Click OK.
- Repeat the member creation steps to add additional domains and the certificate to the SNI configuration. An offline SNI configuration can have up to 256 entries.
- To use an offline SNI configuration, you select it in a server policy. For details, see Configuring a server policy.
Domain Type |
Select Simple String to match a domain to certificates using a literal domain specified in Domain. Otherwise, select Regular Expression to match multiple domains to certificates using a regular expression specified in Domain. |
Domain |
Specify the domain of the secure website (HTTPS) that uses the certificate specified by Certificate Type. Enter a literal domain if Simple String is selected in Domain Type, or enter a regular expression if Regular Expression is selected. After you fill in the field with a regular expression, you can fine-tune the expression in a Regular Expression Validator by clicking the >> button on the side. For details, see Regular expression syntax. |
Local Certificate | Select the server certificate that FortiWeb uses to decrypt SSL-secured connections for the website specified by Domain. For details, see Uploading a server certificate. |