Configuring a certificate validator
To be valid, a client certificate must meet the following criteria:
• Must not be expired or not yet valid
• Must not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate status protocol (OCSP)
• Must be signed by a certificate authority (CA) whose certificate you have imported into the FortiADC appliance
• Must contain a CA field whose value matches a CA’s certificate
• Must contain an Issuer field whose value matches the Subject field in a CA’s certificate
Certificate validation rules specify the CA certificates to use when validating client certificates, and they specify a CRL and/or OCSP server, if any, to use for certificate revocation checking.
You select a certificate validation configuration object in the profile configuration for a virtual server. If the client presents an invalid certificate during the authentication phase of a SSL/TLS session initiation, the FortiADC system will not allow the connection.
Before you begin:
• You must have Read-Write permission for System settings.
• You must have already created a CA group and OCSP or CRL configuration.
To configure a certificate validator:
1. Go to System > Certificate > Manage Certificates.
The configuration page displays the Verify tab.
2. Click Add to display the configuration editor.
3. Complete the configuration as described in
Table 68.
4. Save the configuration.
Table 68: Certificate verify configuration
Settings | Guidelines |
Name | Name that can be referenced by other parts of the configuration, such as www_example_com. Do not use spaces or special characters. The maximum length is 35 characters. After you initially save the configuration, you cannot edit the name. |
Remote | Select an OCSP configuration to use OCSP to validate certificates. |
CA Group | Select the CA group to which the configuration applies. |
CRL | Select a CRL configuration to use CRL to validate certificates. |