Secure connections (SSL/TLS) : How to offload HTTPS : Uploading a server certificate : Supplementing a server certificate with its signing chain
 
Supplementing a server certificate with its signing chain
Would you trust a stranger who wants to access your servers? What if they provide the name of someone who can confirm their reputation? What if you do not know that 3rd party, and the 3rd party might not be trustworthy? Ultimately, you would not be comfortable until this stranger proves that they are linked with people whom you do know and trust.
Similarly, if a server certificate is signed by an intermediate (non-root) certificate authority — not a root CA — then before the client will trust the server’s certificate, you must demonstrate a link with trusted root CAs. This proves that the server’s certificate is genuine. Otherwise, the server certificate may cause the end-user’s web browser to display certificate warnings, because it cannot determine whether the certificate’s CA is itself trusted.
Is the complete CA signing chain appended inside the server certificate itself? If not, you must configure the FortiADC appliance to provide the certificates of intermediate CAs when it presents the server certificate.
To upload an intermediate CA’s certificate
1. Go to System > Certificates > Intermediate CA.
You can click View Certificate Detail to view the selected certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions (purposes).
To access this part of the web UI, your administrator's account access profile must have Read-Write permission to items in the System category. For details, see “Permissions”.
2. To upload a certificate, click Import.
A dialog appears.
3. Do one of the following to locate a certificate:
Select SCEP and enter the URL of the applicable Simple Certificate Enrollment Protocol server. (SCEP allows routers and other intermediate network devices to download certificates.)
To specify a specific certificate authority, enter an identifier in the field below the URL.
Select Local PC, then browse to locate a certificate file.
4. Click OK.
If a server certificate does not include a signing chain that leads to a root CA that the client has in common, you must group certificates of intermediary (non-root) certificate authorities (CA) to provide the signing chain.
5. Go to System > Certificates > Intermediate CA Group.
To access this part of the web UI, your administrator's account access profile must have Read-Write permission to items in the System category. For details, see “Permissions”.
6. Click Add.
A dialog appears.
7. In Group Name, type a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
8. Click OK.
9. Click Add.
A dialog appears.
10. In ID, type the index number of the host entry within the group, or keep the field’s default value of 0 to let the FortiADC appliance automatically assign the next available index number.
11. In CA, select the name of an intermediary CA’s certificate that you previously uploaded and want to add to the group.
12. Click OK.
13. Repeat the previous steps for each intermediary CA certificate that you want to add to the group.
14. To apply an intermediary CA certificate group, select it in a server load balancing profile
The FortiADC appliance will present both the server’s certificate and those of the intermediate CAs when establishing a secure connection with the client.
See also
Uploading trusted CAs’ certificates