Secure connections (SSL/TLS) : How to offload HTTPS : Configuring FortiADC to validate certificates
Configuring FortiADC to validate certificates
To be valid, a client certificate must:
not be expired or not yet valid
not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate status protocol (OCSP)
be signed by a certificate authority (CA) whose certificate you have imported into the FortiADC appliance (see “Uploading trusted CAs’ certificates”);
contain a CA field whose value matches a CA’s certificate
contain an Issuer field whose value matches the Subject field in a CA’s certificate
If the client presents an invalid certificate the authentication phase of a SSL/TLS session initiation, the FortiADC appliance will not allow the connection.
Certificate validation rules tell FortiADC which set of CA certificates to use when validating certificates, and specify a CRL and/or OCSP server, if any, when a certificate must be checked for revocation.
To configure a certificate validation rule
1. Before you can configure a certificate validation rule, you must first configure a CA group (see “Uploading trusted CAs’ certificates”). You may also need to configure:
OCSP (see “Revoking certificates by OCSP query”)
upload a CRL file (see “Revoking certificates”)
if you need to explicitly revoke some invalid or compromised certificates.
2. Go to System > Certificates > Certificate Verify.
To access this part of the web UI, your administrator's account access profile must have Read-Write permission to items in the System category. For details, see “Permissions”.
3. Click Add.
A dialog appears.
4. Configure these settings:
Setting name
Type a name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
CA Group
Select the name of an existing CA group that you want to use to authenticate client certificates. See “Uploading trusted CAs’ certificates”.
Select the name of an existing online certificate status protocol (OCSP) certificate, if any, that you want to use to verify the revocation status of client certificates. See “Revoking certificates by OCSP query”.
Select the name of an existing certificate revocation list, if any, to use to verify the revocation status of client certificates. See “Revoking certificates”.
5. Click Save.
6. To apply a certificate validator, select it in a server load balancing profile. For details, see “Load balancing among local servers”.
See also
How to offload HTTPS
Uploading trusted CAs’ certificates
Revoking certificates by OCSP query
Revoking certificates