Configuring FortiADC to validate certificates
To be valid, a client certificate must:
• not be expired or not yet valid
• not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate status protocol (OCSP)
• contain a CA field whose value matches a CA’s certificate
• contain an Issuer field whose value matches the Subject field in a CA’s certificate
If the client presents an invalid certificate the authentication phase of a SSL/TLS session initiation, the FortiADC appliance will not allow the connection.
Certificate validation rules tell FortiADC which set of CA certificates to use when validating certificates, and specify a CRL and/or OCSP server, if any, when a certificate must be checked for revocation.
To configure a certificate validation rule
if you need to explicitly revoke some invalid or compromised certificates.
2. Go to System > Certificates > Certificate Verify.
To access this part of the web UI, your administrator's account access profile must have
Read-Write permission to items in the
System category. For details, see
“Permissions”.
3. Click Add.
A dialog appears.
4. Configure these settings:
Setting name | Description |
Name | Type a name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. |
CA Group | Select the name of an existing CA group that you want to use to authenticate client certificates. See “Uploading trusted CAs’ certificates”. |
OCSP | Select the name of an existing online certificate status protocol (OCSP) certificate, if any, that you want to use to verify the revocation status of client certificates. See “Revoking certificates by OCSP query”. |
CRL | Select the name of an existing certificate revocation list, if any, to use to verify the revocation status of client certificates. See “Revoking certificates”. |
5. Click Save.
See also