Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiWeb 7.6.7 Administration Guide
    7.6.7
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    OCSP-Based client certificate verification (7.6.1)

    OCSP-Based client certificate verification (7.6.1)

    Prior to version 7.6.1, FortiWeb only supported CRL file-based client certificate verification. With the release of 7.6.1, FortiWeb now supports real-time OCSP checks to verify the status of client certificates, improving security by ensuring the most up-to-date revocation information is used.

    What is a client certificate?

    In SSL/TLS connections between the clients (like browsers or apps) and FortiWeb, clients by default check the server certificate presented by FortiWeb, verifying it against a trusted CA store, and ensure it is not revoked or expired.

    For high-security scenarios such as online banking platforms, it's essential to validate identity of the clients as well. This is achieved through Mutual Authentication, where the clients verify the identify of FortiWeb, and FortiWeb also requires the client to present a certificate to authenticate its identity before sensitive data is exchanged. A common use case for client certificates is in online banking systems, where a bank may issue customers a hardware device, like a smart card or USB token, storing a digital certificate. To access the banking system, the customer connects the device to their computer and configures their browser to use the stored certificate for identity verification.

    The process of mutual authentication is shown as above:

    1. Client connects to the FortiWeb to initiate an SSL connection.
    2. FortiWeb presents its server certificate to the client. The client authenticates the server certificate from its truststore and can verify the hostname (Optional).
    3. Client presents its client certificate to FortiWeb. FortiWeb authenticates the client certificate.
    4. Symmetric session keys are created, and an SSL connection gets established. The client and FortiWeb exchange information in a secure connection.
    Client Certificate Revocation Check

    Client certificates can be revoked before expiration for reasons such as:

    • The certificate’s private key has been compromised.

    • The certificate was issued to a user or entity no longer authorized to use it.

    • The certificate’s details are no longer valid.

    If a client certificate has been revoked (due to compromise, expiration, or policy violation), it should no longer be trusted. To ensure security, FortiWeb must identify and block access attempts from clients presenting revoked certificates. FortiWeb offers two methods for checking client certificate revocation.

    • CRL file-based check: A Certificate Revocation List (CRL) that is stored locally on FortiWeb. It is a file containing a list of revoked certificates. This is a traditional approach that FortiWeb has supported for some time. For details on configuring CRL-based revocation, refer to Revoking certificates.

    • OCSP check: Introduced in version 7.6.1, OCSP (Online Certificate Status Protocol) allows FortiWeb to perform real-time checks with an OCSP responder to obtain the current revocation status of client certificates. For configuration details, see "Configuring OCSP Responder (for client certificate)" in OCSP-Based certificate revocation check.

    Previous
    Next

    Related Videos

    sidebar video

    FortiWeb: OCSP Stapling for Server Certificate Revocation Verification

    • 93 views
    • 1 years ago

    OCSP-Based client certificate verification (7.6.1)

    OCSP-Based client certificate verification (7.6.1)

    Prior to version 7.6.1, FortiWeb only supported CRL file-based client certificate verification. With the release of 7.6.1, FortiWeb now supports real-time OCSP checks to verify the status of client certificates, improving security by ensuring the most up-to-date revocation information is used.

    What is a client certificate?

    In SSL/TLS connections between the clients (like browsers or apps) and FortiWeb, clients by default check the server certificate presented by FortiWeb, verifying it against a trusted CA store, and ensure it is not revoked or expired.

    For high-security scenarios such as online banking platforms, it's essential to validate identity of the clients as well. This is achieved through Mutual Authentication, where the clients verify the identify of FortiWeb, and FortiWeb also requires the client to present a certificate to authenticate its identity before sensitive data is exchanged. A common use case for client certificates is in online banking systems, where a bank may issue customers a hardware device, like a smart card or USB token, storing a digital certificate. To access the banking system, the customer connects the device to their computer and configures their browser to use the stored certificate for identity verification.

    The process of mutual authentication is shown as above:

    1. Client connects to the FortiWeb to initiate an SSL connection.
    2. FortiWeb presents its server certificate to the client. The client authenticates the server certificate from its truststore and can verify the hostname (Optional).
    3. Client presents its client certificate to FortiWeb. FortiWeb authenticates the client certificate.
    4. Symmetric session keys are created, and an SSL connection gets established. The client and FortiWeb exchange information in a secure connection.
    Client Certificate Revocation Check

    Client certificates can be revoked before expiration for reasons such as:

    • The certificate’s private key has been compromised.

    • The certificate was issued to a user or entity no longer authorized to use it.

    • The certificate’s details are no longer valid.

    If a client certificate has been revoked (due to compromise, expiration, or policy violation), it should no longer be trusted. To ensure security, FortiWeb must identify and block access attempts from clients presenting revoked certificates. FortiWeb offers two methods for checking client certificate revocation.

    • CRL file-based check: A Certificate Revocation List (CRL) that is stored locally on FortiWeb. It is a file containing a list of revoked certificates. This is a traditional approach that FortiWeb has supported for some time. For details on configuring CRL-based revocation, refer to Revoking certificates.

    • OCSP check: Introduced in version 7.6.1, OCSP (Online Certificate Status Protocol) allows FortiWeb to perform real-time checks with an OCSP responder to obtain the current revocation status of client certificates. For configuration details, see "Configuring OCSP Responder (for client certificate)" in OCSP-Based certificate revocation check.

    Previous
    Next