Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiWeb 7.6.1 Administration Guide
    7.6.1
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    OCSP-Based certificate revocation check

    OCSP-Based certificate revocation check

    In an SSL connection with mutual authentication, both the server and client present certificates to each other for identity verification. These certificates must be issued by a legitimate, trusted Certificate Authority (CA) and should neither be revoked nor expired.

    To ensure certificates are valid, FortiWeb supports OCSP-Based certificate verification to check whether the certificate is revoked or expired.

    • OCSP-Based certificate verification for server certificate: You can configure FortiWeb to periodically query the OCSP server and cache a time-stamped OCSP response for a set period. This allows the client to receive a fresh OCSP response from FortiWeb without contacting the OCSP responder directly. This is configured through the OCSP Stapling tab in Server Objects > Certificates > OCSP. See Configuring OCSP stapling (for server certificate).

    • OCSP-Based certificate verification for client certificate: You can configure FortiWeb perform real-time OCSP checks to validate client certificates, verifying that the certificate has not been revoked or is not expired. This is configured through the OCSP Signing Certificate tab and the OCSP Responder tab in Server Objects > Certificates > OCSP. See Configuring OCSP Responder (for client certificate).

    Access attempts with an invalid certificate will be blocked.

    Additionally, FortiWeb supports Certificate Revocation List (CRL) uploads, allowing it to reference a CRL file to verify certificate status. See Revoking certificates.

    Configuring OCSP stapling (for server certificate)

    In SSL/TLS connections between the clients (like browsers or apps) and FortiWeb, clients by default check the server certificate presented by FortiWeb, verifying it against a trusted CA store, and contacting the OCSP responder to check whether it is revoked or expired.

    While verifying the server certificate’s status through the OCSP responder provides clients with the most up-to-date information, it also introduces an extra network request on the client side. This additional request can increase connection times and lead to noticeable delays in establishing SSL/TLS connections. The diagram below illustrates the SSL connection process between the client and FortiWeb, where the client reaches out to the OCSP responder for the server certificate status.

    To improve the efficiency of SSL connections, FortiWeb supports OCSP stapling. In the OCSP stapling process, FortiWeb can be configured to periodically query the OCSP server and cache a time-stamped OCSP response for a specified period. This cached response is then "stapled" to the SSL/TLS handshake, allowing the client to validate the certificate’s status directly through the "stamp" without needing to contact the OCSP responder. The following diagram illustrates the process of OCSP stapling in the SSL connection flow.

    This method of verifying the revocation status of certificates shifts the resource cost in providing OCSP responses from the client to the presenter of a certificate. In addition, because fewer overall queries to the OCSP responder will be made when OCSP stapling is configured, the total resource cost in verifying the revocation status of certificates is also reduced.

    tooltip icon OCSP stapling is available in Reverse Proxy, True Transparent Proxy, and WCCP mode.
    To configure OCSP stapling:
    1. Go to Server Objects > Certificates > OCSP, select the OCSP Stapling tab.
    2. Click Create New.
    3. Configure these settings:

      Name

      Enter a name for the OCSP Stapling. The maximum length is 63 characters.

      CA Certificate

      Select the CA certificate of the server certificate to be queried.

      For the server to staple a valid OCSP response to its SSL/TLS handshake, it must obtain an OCSP response that the client will recognize and trust. This trust typically relies on the CA that issued both the server certificate and the OCSP signing certificate. The CA you upload here should be the one that issued the server certificate and is responsible for the OCSP response. By ensuring the client can validate the CA’s signature on the OCSP response, the client is able to trust the stapled OCSP response provided by the server.

      For details, see .

      Local Certificate

      Select the server certificate that FortiWeb presents to clients for SSL connection. For details, see local certificate related information on How to offload or inspect HTTPS.

      OCSP URL

      Specify the URL of the OCSP responder server.

      Comments

      Optionally, enter a description of the server OCSP stapling. The maximum length is 199 characters.

    4. Click OK.

    By choosing the Local Certificate as the "Certificate Type / Certificate" for the HTTPS service in a server policy, the OCSP Stapling will be executed when the clients validate the server certificate (aka Local certificate).

    Configuring OCSP Responder (for client certificate)

    In SSL/TLS connections between the clients (like browsers or apps) and FortiWeb, clients by default check the server certificate presented by FortiWeb, verifying it against a trusted CA store, and ensure it is not revoked or expired.

    For high-security scenarios it's essential to validate identity of the clients as well. A common use case for client certificates is in online banking systems, where a bank may issue customers a hardware device, like a smart card or USB token, storing a digital certificate. To access the banking system, the customer connects the device to their computer and configures their browser to use the stored certificate for identity verification.

    To maintain security, FortiWeb must verify the client certificate's status (whether they are valid, revoked, or expired) to block access attempts with a invalid client certificate. FortiWeb supports the following two methods of client certificate revocation check:

    • CRL file-based verification: A Certificate Revocation List (CRL) that is stored locally on FortiWeb. It is a file containing a list of revoked certificates. The configuration of this method is introduced in another topic: Revoking certificates.

    • OCSP checks: Real-time checks with the OCSP (Online Certificate Status Protocol) Responder, which provides the current revocation status of client certificates. Configuration details for this method are introduced in the following section.

    The OCSP Responder configuration in FortiWeb involves two steps:

    • Import an OCSP signing certificate.
    • Configure OCSP Responder information for FortiWeb to request client certificate status from the specified OCSP URL.

    Perform the following steps to configure OCSP Responder:

    1. Go to Server Objects > Certificates > OCSP, select the OCSP Signing Certificate tab.
    2. Click Import.
    3. Upload the OCSP signing certificate from local directory.

      What's an OCSP signing certificate?

      To ensure that the OCSP response is coming from a legitimate OCSP responder and not a malicious source, the response must be signed with a certificate that is either:

      • Directly signed by the Certificate Authority (CA) that issued the certificate being checked.

      • Or, signed by a trusted OCSP signing certificate specifically designated for this purpose.

      Verifying the OCSP response against the OCSP signing certificate ensures that the responder is authorized to provide status information and that the response has not been tampered with by an attacker.

      In many cases, the CA that issued the client certificate being checked may not handle OCSP responses directly. Instead, it may delegate this responsibility to a separate OCSP responder, which uses a distinct OCSP signing certificate. This OCSP signing certificate is typically issued and signed by the same CA that signed the client certificate or by another trusted CA. This delegation ensures that the OCSP responder is authorized to provide revocation status on behalf of the issuing CA.

    4. Click OK.
    5. Go to Server Objects > Certificates > OCSP, select the OCSP Responder tab.
    6. Click Create New.
    7. Configure these settings:

      Name

      Enter a name for the OCSP Responder. The maximum length is 63 characters.

      OCSP URL

      Enter the URL of the OCSP Responder.

      OCSP Signing Certificates

      Select the OCSP signing certificate you have uploaded.

      Timeout

      Specify the timeout of the OCSP query.

      Caching

      Enable to cache the OCSP responses for a defined period (set by the Caching TTL). FortiWeb can quickly retrieve the validation status from the cache rather than querying the OCSP responder every time,

      Caching TTL

      Caching TTL (Time to Live) is the duration for which the "This Update" timestamp in the OCSP response is considered valid.

      It’s important to note that the "This Update" timestamp does not indicate the exact time when FortiWeb first requests the OCSP responder to validate a specific client certificate. Instead, it reflects the time of the OCSP responder's last periodic check of the certificate's status. For example, if the OCSP responder last checked the client certificate status at 13:30, the "This Update" timestamp will show 13:30, even if FortiWeb requests validation of the client certificate for the first time at 14:00.

      This design allows FortiWeb to use the OCSP responder’s most recent validation result, improving efficiency by avoiding unnecessary revalidation while ensuring timely, accurate certificate status checks.

      This option is available only when Caching is enabled.

      Comments

      Optionally, enter a description of the OCSP Responder. The maximum length is 199 characters.

    8. Click OK.

    You can later reference the OCSP Responder in the Certificate Verify tab in Server Objects > Certificates > Certificate Verify.

    Previous
    Next

    OCSP-Based certificate revocation check

    OCSP-Based certificate revocation check

    In an SSL connection with mutual authentication, both the server and client present certificates to each other for identity verification. These certificates must be issued by a legitimate, trusted Certificate Authority (CA) and should neither be revoked nor expired.

    To ensure certificates are valid, FortiWeb supports OCSP-Based certificate verification to check whether the certificate is revoked or expired.

    • OCSP-Based certificate verification for server certificate: You can configure FortiWeb to periodically query the OCSP server and cache a time-stamped OCSP response for a set period. This allows the client to receive a fresh OCSP response from FortiWeb without contacting the OCSP responder directly. This is configured through the OCSP Stapling tab in Server Objects > Certificates > OCSP. See Configuring OCSP stapling (for server certificate).

    • OCSP-Based certificate verification for client certificate: You can configure FortiWeb perform real-time OCSP checks to validate client certificates, verifying that the certificate has not been revoked or is not expired. This is configured through the OCSP Signing Certificate tab and the OCSP Responder tab in Server Objects > Certificates > OCSP. See Configuring OCSP Responder (for client certificate).

    Access attempts with an invalid certificate will be blocked.

    Additionally, FortiWeb supports Certificate Revocation List (CRL) uploads, allowing it to reference a CRL file to verify certificate status. See Revoking certificates.

    Configuring OCSP stapling (for server certificate)

    In SSL/TLS connections between the clients (like browsers or apps) and FortiWeb, clients by default check the server certificate presented by FortiWeb, verifying it against a trusted CA store, and contacting the OCSP responder to check whether it is revoked or expired.

    While verifying the server certificate’s status through the OCSP responder provides clients with the most up-to-date information, it also introduces an extra network request on the client side. This additional request can increase connection times and lead to noticeable delays in establishing SSL/TLS connections. The diagram below illustrates the SSL connection process between the client and FortiWeb, where the client reaches out to the OCSP responder for the server certificate status.

    To improve the efficiency of SSL connections, FortiWeb supports OCSP stapling. In the OCSP stapling process, FortiWeb can be configured to periodically query the OCSP server and cache a time-stamped OCSP response for a specified period. This cached response is then "stapled" to the SSL/TLS handshake, allowing the client to validate the certificate’s status directly through the "stamp" without needing to contact the OCSP responder. The following diagram illustrates the process of OCSP stapling in the SSL connection flow.

    This method of verifying the revocation status of certificates shifts the resource cost in providing OCSP responses from the client to the presenter of a certificate. In addition, because fewer overall queries to the OCSP responder will be made when OCSP stapling is configured, the total resource cost in verifying the revocation status of certificates is also reduced.

    tooltip icon OCSP stapling is available in Reverse Proxy, True Transparent Proxy, and WCCP mode.
    To configure OCSP stapling:
    1. Go to Server Objects > Certificates > OCSP, select the OCSP Stapling tab.
    2. Click Create New.
    3. Configure these settings:

      Name

      Enter a name for the OCSP Stapling. The maximum length is 63 characters.

      CA Certificate

      Select the CA certificate of the server certificate to be queried.

      For the server to staple a valid OCSP response to its SSL/TLS handshake, it must obtain an OCSP response that the client will recognize and trust. This trust typically relies on the CA that issued both the server certificate and the OCSP signing certificate. The CA you upload here should be the one that issued the server certificate and is responsible for the OCSP response. By ensuring the client can validate the CA’s signature on the OCSP response, the client is able to trust the stapled OCSP response provided by the server.

      For details, see .

      Local Certificate

      Select the server certificate that FortiWeb presents to clients for SSL connection. For details, see local certificate related information on How to offload or inspect HTTPS.

      OCSP URL

      Specify the URL of the OCSP responder server.

      Comments

      Optionally, enter a description of the server OCSP stapling. The maximum length is 199 characters.

    4. Click OK.

    By choosing the Local Certificate as the "Certificate Type / Certificate" for the HTTPS service in a server policy, the OCSP Stapling will be executed when the clients validate the server certificate (aka Local certificate).

    Configuring OCSP Responder (for client certificate)

    In SSL/TLS connections between the clients (like browsers or apps) and FortiWeb, clients by default check the server certificate presented by FortiWeb, verifying it against a trusted CA store, and ensure it is not revoked or expired.

    For high-security scenarios it's essential to validate identity of the clients as well. A common use case for client certificates is in online banking systems, where a bank may issue customers a hardware device, like a smart card or USB token, storing a digital certificate. To access the banking system, the customer connects the device to their computer and configures their browser to use the stored certificate for identity verification.

    To maintain security, FortiWeb must verify the client certificate's status (whether they are valid, revoked, or expired) to block access attempts with a invalid client certificate. FortiWeb supports the following two methods of client certificate revocation check:

    • CRL file-based verification: A Certificate Revocation List (CRL) that is stored locally on FortiWeb. It is a file containing a list of revoked certificates. The configuration of this method is introduced in another topic: Revoking certificates.

    • OCSP checks: Real-time checks with the OCSP (Online Certificate Status Protocol) Responder, which provides the current revocation status of client certificates. Configuration details for this method are introduced in the following section.

    The OCSP Responder configuration in FortiWeb involves two steps:

    • Import an OCSP signing certificate.
    • Configure OCSP Responder information for FortiWeb to request client certificate status from the specified OCSP URL.

    Perform the following steps to configure OCSP Responder:

    1. Go to Server Objects > Certificates > OCSP, select the OCSP Signing Certificate tab.
    2. Click Import.
    3. Upload the OCSP signing certificate from local directory.

      What's an OCSP signing certificate?

      To ensure that the OCSP response is coming from a legitimate OCSP responder and not a malicious source, the response must be signed with a certificate that is either:

      • Directly signed by the Certificate Authority (CA) that issued the certificate being checked.

      • Or, signed by a trusted OCSP signing certificate specifically designated for this purpose.

      Verifying the OCSP response against the OCSP signing certificate ensures that the responder is authorized to provide status information and that the response has not been tampered with by an attacker.

      In many cases, the CA that issued the client certificate being checked may not handle OCSP responses directly. Instead, it may delegate this responsibility to a separate OCSP responder, which uses a distinct OCSP signing certificate. This OCSP signing certificate is typically issued and signed by the same CA that signed the client certificate or by another trusted CA. This delegation ensures that the OCSP responder is authorized to provide revocation status on behalf of the issuing CA.

    4. Click OK.
    5. Go to Server Objects > Certificates > OCSP, select the OCSP Responder tab.
    6. Click Create New.
    7. Configure these settings:

      Name

      Enter a name for the OCSP Responder. The maximum length is 63 characters.

      OCSP URL

      Enter the URL of the OCSP Responder.

      OCSP Signing Certificates

      Select the OCSP signing certificate you have uploaded.

      Timeout

      Specify the timeout of the OCSP query.

      Caching

      Enable to cache the OCSP responses for a defined period (set by the Caching TTL). FortiWeb can quickly retrieve the validation status from the cache rather than querying the OCSP responder every time,

      Caching TTL

      Caching TTL (Time to Live) is the duration for which the "This Update" timestamp in the OCSP response is considered valid.

      It’s important to note that the "This Update" timestamp does not indicate the exact time when FortiWeb first requests the OCSP responder to validate a specific client certificate. Instead, it reflects the time of the OCSP responder's last periodic check of the certificate's status. For example, if the OCSP responder last checked the client certificate status at 13:30, the "This Update" timestamp will show 13:30, even if FortiWeb requests validation of the client certificate for the first time at 14:00.

      This design allows FortiWeb to use the OCSP responder’s most recent validation result, improving efficiency by avoiding unnecessary revalidation while ensuring timely, accurate certificate status checks.

      This option is available only when Caching is enabled.

      Comments

      Optionally, enter a description of the OCSP Responder. The maximum length is 199 characters.

    8. Click OK.

    You can later reference the OCSP Responder in the Certificate Verify tab in Server Objects > Certificates > Certificate Verify.

    Previous
    Next