System Management : Using certificates : Configuring a certificate validator
Configuring a certificate validator
To be valid, a client certificate must meet the following criteria:
Must not be expired or not yet valid
Must not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate status protocol (OCSP)
Must be signed by a certificate authority (CA) whose certificate you have imported into the FortiADC appliance
Must contain a CA field whose value matches a CA’s certificate
Must contain an Issuer field whose value matches the Subject field in a CA’s certificate
Certificate validation rules specify the CA certificates to use when validating client certificates, and they specify a CRL and/or OCSP server, if any, to use for certificate revocation checking.
You select a certificate validation configuration object in the profile configuration for a virtual server. If the client presents an invalid certificate during the authentication phase of a SSL/TLS session initiation, the FortiADC system will not allow the connection.
Before you begin:
You must have Read-Write permission for System settings.
You must have already created a CA group and OCSP or CRL configuration.
To configure a certificate validator:
1. Go to System > Certificate > Manage Certificates.
The configuration page displays the Verify tab.
2. Click Add to display the configuration editor.
3. Complete the configuration as described in Table 96.
4. Save the configuration.
Table 96: Certificate verify configuration
Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.The maximum length is 35 characters.
After you initially save the configuration, you cannot edit the name.
Select an OCSP configuration to use OCSP to validate certificates.
CA Group
Select the CA group to which the configuration applies.
Select a CRL configuration to use CRL to validate certificates.