Fortinet black logo

CLI Reference

system certificate verify

system certificate verify

Use this command to configure how the FortiWeb appliance will verify certificates presented by HTTP clients.

To apply a certificate verification rule, select it in a policy. For details, see server-policy policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config system certificate verify

edit "<certificate_verificator_name>"

set ca "<ca-group_name>"

set crl "<crl-group_name>"

set publish-dn {enable | disable}

set strictly-need-cert {enable | disable}

set partial-chain {enable | disable}

set crl-allow-expired {enable | disable}

next

end

Variable Description Default

"<certificate_verificator_name>"

Enter the name of a certificate verifier. The maximum length is 63 characters. No default.

ca "<ca-group_name>"

Enter the name of an existing CA Group that you want to use to authenticate client certificates. No default.

crl "<crl-group_name>"

Enter the name of an existing CRL Group, if any, to use to verify the revocation status of client certificates. No default.

publish-dn {enable | disable}

Enable to list only certificates related to the specified CA Group. This is beneficial when a client installs many certificates in its browser or when apps don't list client certificates. If you enable this option, also enable the option in a CA Group. For details, see system certificate ca-group.

disable

strictly-need-cert {enable | disable} Enable to strictly require verifying the client certificate. enable

partial-chain {enable | disable}

Enable to do partial certificate chain validation. External clients can be validated by the Intermediate CA only.

When this option is enabled, you also need to enable partial-chain in config system certificate ca-group.

disable

crl-allow-expired {enable | disable}

Enable this option to allow the use of previously retrieved CRLs when the current CRL distribution point retrievals fail or are pending, or when you want to manually upload a CRL file.

We highly recommend enabling it as a temporary solution only when the CRL has expired. Ideally, we strongly suggest using the most up-to-date CRL file at all times to ensure that the client with revoked certificates can be promptly blocked.

disable

Related topics

system certificate verify

Use this command to configure how the FortiWeb appliance will verify certificates presented by HTTP clients.

To apply a certificate verification rule, select it in a policy. For details, see server-policy policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config system certificate verify

edit "<certificate_verificator_name>"

set ca "<ca-group_name>"

set crl "<crl-group_name>"

set publish-dn {enable | disable}

set strictly-need-cert {enable | disable}

set partial-chain {enable | disable}

set crl-allow-expired {enable | disable}

next

end

Variable Description Default

"<certificate_verificator_name>"

Enter the name of a certificate verifier. The maximum length is 63 characters. No default.

ca "<ca-group_name>"

Enter the name of an existing CA Group that you want to use to authenticate client certificates. No default.

crl "<crl-group_name>"

Enter the name of an existing CRL Group, if any, to use to verify the revocation status of client certificates. No default.

publish-dn {enable | disable}

Enable to list only certificates related to the specified CA Group. This is beneficial when a client installs many certificates in its browser or when apps don't list client certificates. If you enable this option, also enable the option in a CA Group. For details, see system certificate ca-group.

disable

strictly-need-cert {enable | disable} Enable to strictly require verifying the client certificate. enable

partial-chain {enable | disable}

Enable to do partial certificate chain validation. External clients can be validated by the Intermediate CA only.

When this option is enabled, you also need to enable partial-chain in config system certificate ca-group.

disable

crl-allow-expired {enable | disable}

Enable this option to allow the use of previously retrieved CRLs when the current CRL distribution point retrievals fail or are pending, or when you want to manually upload a CRL file.

We highly recommend enabling it as a temporary solution only when the CRL has expired. Ideally, we strongly suggest using the most up-to-date CRL file at all times to ensure that the client with revoked certificates can be promptly blocked.

disable

Related topics