config system certificate certificate_verify
Use this command to manage certificate validation rules.
To be valid, a client certificate must meet the following criteria:
• Must not be expired or not yet valid
• Must not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate status protocol (OCSP)
• Must be signed by a certificate authority (CA) whose certificate you have imported into the FortiADC appliance
• Must contain a CA field whose value matches a CA’s certificate
• Must contain an Issuer field whose value matches the Subject field in a CA’s certificate
Certificate validation rules specify the CA certificates to use when validating client certificates, and they specify a CRL and/or OCSP server, if any, to use for certificate revocation checking.
You select a certificate validation configuration object in the profile configuration for a virtual server. If the client presents an invalid certificate during the authentication phase of a SSL/TLS session initiation, the FortiADC system will not allow the connection.
Before you begin:
• You must have already created a CA group and OCSP or CRL configuration.
• You must have read-write permission for system settings.
Syntax
config system certificate certificate_verify
edit <name>
set ca_group <datasource>
set crl <datasource>
set remote_cert <datasource>
next
end
ca_group | Specify the CA group to which the configuration applies. |
crl | Specify a CRL configuration to use CRL to validate certificates. |
remote_cert | Specify an OCSP configuration to use OCSP to validate certificates. |