The Layer 7 Security > Certificate screen shown below is available when an HTTPS cluster is selected from the Cluster branch on the left navigational pane.
Use the Security > Certificate tab to select a default SSL certificate that clients will use to validate a connection to an HTTPS cluster (a cluster certificate).
Default Certificate
|
Use the drop down list to select a default SSL certificate that clients will use to validate a connection to this HTTPS cluster. |
Client CA
|
The Client CA is used to authenticate the SSL client certificate if the Require Client Certificate option is enabled or if a CRL selection is made.
Use the drop down list to select the name of a client certificate authority (CA).This is the certificate of an authority in a network that issues and manages security credentials and public keys for message encryption. It must be uploaded to FortiADC's certificated store. As part of a public key infrastructure, a CA checks with a registration authority to verify information provided by the requester of a digital certificate. If the registration authority verifies the requester's information, the CA can then issue a certificate.
The certificate usually includes the owner's public key, the expiration date of the certificate, the owner's name, and other information about the public key owner.
|
CRL
|
A Certificate Revocation List CRL is used
to check if the SSL certificates provided by the SSL client during the SSL
handshake are not in the CRL list. It requires the Client CA to be specified.
Use the drop down list to select a CRL.
|
Validation Depth
|
The depth to which certificate checking is done on the client certificate chain. The default of 2 indicates that the client certificate (level 0) and two levels above it (levels 1 and 2) are checked; any certificates above level 2 in the chain are ignored. You should only need to increase this value if the Certificate Authority that issued your certificate provided you with more than 2 chained certificates in addition to your client certificate. |
Flags
Push Client Certificate
|
Enabling this option sends the client certificate to the back-end server. |
Require Client Certificate
|
Enabling this option requires that client's present certificates. The client CA, if configured, validates the SSL certificate presented by the SSL client. |
Strict CRL Chain
|
This option requires the Client CA and CRL to be specified. If it is enabled
then it ensures that none of the certificates in the certificate chain of the
SSL client certificate are in the CRL. If the client CA and CRL are specified, yet
this option is not enabled, then only the last certificate in the
certificate chain of the SSL client certificate is checked against the
specified CRL. |