Secure connections (SSL/TLS) : How to offload HTTPS
How to offload HTTPS
For offloading SSL/TLS, FortiADC must have a copy of your servers’ X.509 v3 server certificates and private keys. FortiADC also has its own server certificate and private key, which it uses to prove its own identity. All locally stored server certificates and private keys are displayed on System > Certificates > Local.
Which certificate will be used, and how, depends on the purpose.
For connections to the web UI — The FortiADC appliance presents its own default “Factory” certificate.
The FortiADC appliance’s default certificate does not appear in the list of locally stored certificates. It is used only for connections to the web UI and cannot be removed.
For SSL offloading — Server certificates do not belong to the FortiADC appliance itself, but instead belong to the servers. FortiADC uses the server’s certificate because it acts as an SSL proxy for the server (a “reverse proxy”). You must select which one the FortiADC appliance will use when configuring a server load balancing profile (see “Load balancing among local servers”).
FortiADC presents a server certificate when any client requests a secure connection, including when:
Administrators connect to the web UI (HTTPS connections only)
Clients use SSL or TLS to connect to a virtual server
FortiADC requires server certificates in order to decrypt and route or rewrite based on content at the application layer (Layer 7). Otherwise, FortiADC will not, for example, be able to read the HTTP layer of HTTPS packets.
If you want clients to be able to use HTTPS with your web site, but your web site does not already have a server certificate to represent its authenticity, you must first generate a certificate signing request (see “Generating a certificate signing request”). Otherwise, start with “Uploading a server certificate”.
See also
Global web UI & CLI settings
Generating a certificate signing request
Uploading a server certificate
Revoking certificates by OCSP query
What is SSL/TLS offloading?
Supported cipher suites & protocol versions
Uploading trusted CAs’ certificates