system certificate verify
Use this command to configure how the FortiWeb appliance will verify certificates presented by HTTP clients.
To apply a certificate verification rule, select it in a policy. For details, see server-policy policy.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the admingrp
area. For details, see Permissions.
Syntax
config system certificate verify
edit "<certificate_verificator_name>"
set publish-dn {enable | disable}
set strictly-need-cert {enable | disable}
set partial-chain {enable | disable}
set crl-allow-expired {enable | disable}
next
end
Variable | Description | Default |
Enter the name of a certificate verifier. The maximum length is 63 characters. | No default. | |
Enter the name of an existing CA Group that you want to use to authenticate client certificates. | No default. | |
Enter the name of an existing CRL Group, if any, to use to verify the revocation status of client certificates. | No default. | |
Enable to list only certificates related to the specified CA Group. This is beneficial when a client installs many certificates in its browser or when apps don't list client certificates. If you enable this option, also enable the option in a CA Group. For details, see system certificate ca-group. |
disable |
|
strictly-need-cert {enable | disable} | Enable to strictly require verifying the client certificate. | enable |
Enable to do partial certificate chain validation. External clients can be validated by the Intermediate CA only. When this option is enabled, you also need to enable |
disable |
|
Enable this option to allow the use of previously retrieved CRLs when the current CRL distribution point retrievals fail or are pending, or when you want to manually upload a CRL file. We highly recommend enabling it as a temporary solution only when the CRL has expired. Ideally, we strongly suggest using the most up-to-date CRL file at all times to ensure that the client with revoked certificates can be promptly blocked. |
disable |