config system : config system certificate certificate_verify
config system certificate certificate_verify
Use this command to manage certificate validation rules.
To be valid, a client certificate must meet the following criteria:
Must not be expired or not yet valid
Must not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate status protocol (OCSP)
Must be signed by a certificate authority (CA) whose certificate you have imported into the FortiADC appliance
Must contain a CA field whose value matches a CA’s certificate
Must contain an Issuer field whose value matches the Subject field in a CA’s certificate
Certificate validation rules specify the CA certificates to use when validating client certificates, and they specify a CRL and/or OCSP server, if any, to use for certificate revocation checking.
You select a certificate validation configuration object in the profile configuration for a virtual server. If the client presents an invalid certificate during the authentication phase of a SSL/TLS session initiation, the FortiADC system will not allow the connection.
Before you begin:
You must have already created a CA group and OCSP or CRL configuration.
You must have read-write permission for system settings.
config system certificate certificate_verify
edit <name>
set ca_group <datasource>
set crl <datasource>
set remote_cert <datasource>
Specify the CA group to which the configuration applies.
Specify a CRL configuration to use CRL to validate certificates.
Specify an OCSP configuration to use OCSP to validate certificates.