Layer 7 Security Certificate Screen (HTTPS Clusters)

	If you have uploaded a certificate that doesn't match the cipher suite that is configured for the HTTPS cluster, you will no longer be able to log into the GUI. You will need to supply the correct certificate/key pairing. In the meantime, you can enable HTTP access to the GUI temporarily to enter the proper certificate/key pairing to enable HTTPS access.

Default Certificate

Use the drop down list to select a default SSL certificate that clients will use to validate a connection to this HTTPS cluster.

Client CA

The Client CA is used to authenticate the SSL client certificate if the Require Client Certificate option is enabled or if a CRL selection is made.

Use the drop down list to select the name of a client certificate authority (CA).This is the certificate of an authority in a network that issues and manages security credentials and public keys for message encryption. It must be uploaded to FortiADC's certificated store. As part of a public key infrastructure, a CA checks with a registration authority to verify information provided by the requester of a digital certificate. If the registration authority verifies the requester's information, the CA can then issue a certificate. The certificate usually includes the owner's public key, the expiration date of the certificate, the owner's name, and other information about the public key owner.

CRL

A Certificate Revocation List CRL is used to check if the SSL certificates provided by the SSL client during the SSL handshake are not in the CRL list. It requires the Client CA to be specified.

Use the drop down list to select a CRL.

Validation Depth

The depth to which certificate checking is done on the client certificate chain. The default of 2 indicates that the client certificate (level 0) and two levels above it (levels 1 and 2) are checked; any certificates above level 2 in the chain are ignored. You should only need to increase this value if the Certificate Authority that issued your certificate provided you with more than 2 chained certificates in addition to your client certificate.

Push Client Certificate	Enabling this option sends the client certificate to the back-end server.
Require Client Certificate	Enabling this option requires that client's present certificates. The client CA, if configured, validates the SSL certificate presented by the SSL client.
Strict CRL Chain	This option requires the Client CA and CRL to be specified. If it is enabled then it ensures that none of the certificates in the certificate chain of the SSL client certificate are in the CRL. If the client CA and CRL are specified, yet this option is not enabled, then only the last certificate in the certificate chain of the SSL client certificate is checked against the specified CRL.