• System administration—Administrators connect to the web UI (HTTPS connections only). When you connect to the web UI, the system presents its own default “Factory” certificate. This certificate is used only for connections to the web UI. It cannot be removed. Do not use this certificate for server load balancing traffic.

• Server load balancing—Clients use SSL or TLS to connect to a virtual server. When you use FortiADC as a proxy for SSL operations normally performed on the backend real servers, you must import the X.509 v3 server certificates and private keys for the backend servers, as well as any certificate authority (CA) or intermediate CA certificates that are used to complete the chain of trust between your clients and your servers.

• Server name indication (SNI)—You can require clients to use the TLS extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client.

• Local certificate store—A certificate store for the X.509 v3 server certificates and private keys for the backend servers.

• Certificate Authorities (CAs) store—A store for the CA certificates that the backend servers would ordinarily use to verify the CA signature in the client certificate.

• Intermediate CAs store—A store for Intermediate CAs that the backend servers would ordinarily use to complete the chain between the client certificate and the server certificate. HTTPS transactions use intermediate CAs when the server certificate is signed by an intermediate certificate authority (CA) rather than a root CA.

• OCSP—Use Online Certificate Status Protocol (OCSP) to obtain the revocation status of certificates.

• CRL—Use a certificate revocation list (CRL) to obtain the revocation status of certificates.

• Certificate validation policy—You can configure certificate validation policies that use OCSP or CRL. These policies can be associated with load balancing profiles.