Whether offloading or merely inspecting for HTTPS, FortiWeb must have a copy of your protected web servers’ X.509 server certificates. FortiWeb also has its own server certificate, which it uses to prove its own identity.
Which certificate will be used, and how, depends on the purpose.
The FortiWeb appliance’s default certificate does not appear in the list of locally stored certificates. It is used only for connections to the web UI and cannot be removed. |
System > Certificates > Local displays all X.509 server certificates that are stored locally, on the FortiWeb appliance, for the purpose of offloading or scanning HTTPS.
Button/field | Description |
---|---|
Generate | Click to generate a certificate signing request. For details, see Generating a certificate signing request. |
Import | Click to upload a certificate. For details, see Uploading a server certificate. |
View Certificate Detail | Click to view the selected certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions. |
Download |
Click to download the selected CSR’s entry in certificate signing request (.csr) file format. This button is disabled unless the currently selected file is a CSR. |
Edit Comments | Click to add or modify the comment associated with the selected certificate. |
(No label. Check box in column heading.) |
Click to mark all check boxes in the column, selecting all entries. To select an individual entry, instead, mark the check box in the entry’s row. |
Name | Displays the name of the certificate. |
Subject |
Displays the distinguished name (DN) located in the If the row contains a certificate request which has not yet been signed, this field is empty. |
Comments | Displays the description of the certificate, if any. Click the Edit Comments icon to add or modify the comment associated with the certificate or certificate signing request. |
Status |
Displays the status of the certificate.
|
FortiWeb presents a server certificate when any client requests a secure connection, including when:
Although they do not present a certificate during SSL/TLS inspection, FortiWeb still requires server certificates in order to decrypt and scan HTTPS connections travelling through it (SSL inspection) if operating in any mode except reverse proxy. Otherwise, FortiWeb will not be able to scan the traffic, and will not be able to protect that web server.
If you want clients to be able to use HTTPS with your web site, but your web site does not already have a server certificate to represent its authenticity, you must first generate a certificate signing request (see Generating a certificate signing request). Otherwise, start with Uploading a server certificate.
Many commercial certificate authorities (CAs) will provide a web site where you can generate your own certificate signing request (CSR). A CSR is an unsigned certificate file that the CA will sign. When the CSR is generated, the associated private key that the appliance will use to sign and/or encrypt connections with clients is also generated.
If your CA does not provide this, or if you have your own private CA such as a Linux server with OpenSSL, you can use the appliance generate a CSR and private key. This CSR can then be submitted for verification and signing by the CA.
1. Go to System > Certificates > Local.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
2. Click Generate.
A dialog appears.
3. Configure the certificate signing request:
Setting name | Description | |
---|---|---|
Certification Name | Enter a unique name for the certificate request, such as www.example.com . This can be the name of your web site. |
|
Key Type |
Displays the type of algorithm used to generate the key. This option cannot be changed, but appears in order to indicate that only RSA is currently supported. |
|
Key Size | Select a secure key size of 512 Bit, 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate, but provide better security. | |
Enrollment Method |
Select either:
|
|
Subject Information | Includes information that the certificate is required to contain in order to uniquely identify the FortiWeb appliance. This area varies depending on the ID Type selection. | |
ID Type |
Select the type of identifier to use in the certificate to identify the FortiWeb appliance:
The type you should select varies by whether or not your FortiWeb appliance has a static IP address, a fully-qualified domain name (FQDN), and by the primary intended use of the certificate. For example, if your FortiWeb appliance has both a static IP address and a domain name, but you will primarily use the local certificate for HTTPS connections to the web UI by the domain name of the FortiWeb appliance, you might prefer to generate a certificate based upon the domain name of the FortiWeb appliance, rather than its IP address. Depending on your choice for ID Type, related options appear. |
|
IP |
Type the static IP address of the FortiWeb appliance, such as The IP address should be the one that is visible to clients. Usually, this should be its public IP address on the Internet, or a virtual IP that you use NAT to map to the appliance’s IP address on your private network. This option appears only if ID Type is Host IP. |
|
Domain Name |
Type the fully qualified domain name (FQDN) of the FortiWeb appliance, such as The domain name must resolve to the static IP address of the FortiWeb appliance or protected server. For more information, see Configuring the network interfaces. This option appears only if ID Type is Domain Name. |
|
Type the email address of the owner of the FortiWeb appliance, such as This option appears only if ID Type is E-Mail. |
||
Optional Information | Includes information that you may include in the certificate, but which is not required. | |
Organization unit |
Type the name of your organizational unit (OU), such as the name of your department. This is optional. To enter more than one OU name, click the + icon, and enter each OU separately in each field. |
|
Organization | Type the legal name of your organization. This is optional. | |
Locality(City) | Type the name of the city or town where the FortiWeb appliance is located. This is optional. | |
State/Province | Type the name of the state or province where the FortiWeb appliance is located. This is optional. | |
Country/Region | Select the name of the country where the FortiWeb appliance is located. This is optional. | |
Type an email address that may be used for contact purposes, such as This is optional. |
4. Click OK.
The FortiWeb appliance creates a private and public key pair. The generated request includes the public key of the FortiWeb appliance and information such as the FortiWeb appliance’s IP address, domain name, or email address. The FortiWeb appliance’s private key remains confidential on the FortiWeb appliance. The Status column of the entry is PENDING.
5. Select the row that corresponds to the certificate request.
6. Click Download.
Standard dialogs appear with buttons to save the file at a location you select. Your web browser downloads the certificate request (.csr) file. Time required varies by the size of the file and the speed of your network connection.
7. Upload the certificate request to your CA.
After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.
8. If you are not using a commercial CA whose root certificate is already installed by default on web browsers, download your CA’s root certificate, then install it on all computers that will be connecting to your appliance. (If you do not install these, those computers may not trust your new certificate.)
9. When you receive the signed certificate from the CA, upload the certificate to the FortiWeb appliance (see Uploading a server certificate).
You also use this process to upload a client certificate for FortiWeb. You add this certificate to a server pool configuration if connections to a pool member require a valid client certificate (see Creating a server pool).
You can import (upload) either:
X.509 server certificates and private keys to the FortiWeb appliance.
DSA-encrypted certificates are not supported if the FortiWeb appliance is operating in a mode other than reverse proxy. See Supported features in each operation mode. |
If a server certificate is signed by an intermediate certificate authority (CA) rather than a root CA, before clients will trust the server certificate, you must demonstrate a link with root CAs that the clients trust, thereby proving that the server certificate is genuine. You can demonstrate this chain of trust either by:
Which method is best for you often depends on whether you have a convenient method for deploying CA certificates to clients, such as you may be able to for clients in an internal Microsoft Active Directory domain, and whether you often refresh the server certificate.
1. Open the certificate file in a plain text editor.
2. Append the certificate of each intermediary CA in order from the intermediary CA who signed the local certificate to the intermediary CA whose certificate was signed directly by a trusted root CA.
For example, a server’s certificate that includes a signing chain might use the following structure:
-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<certificate of intermediate CA 1, who signed the server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<certificate of intermediate CA 2, who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted root CA>
-----END CERTIFICATE-----
3. Save the certificate.
The total file size of all certificates, private keys, and any other uploaded files may not exceed 12 MB. |
1. Go to System > Certificates > Local.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
2. Click Import.
A dialog appears.
3. Configure these settings:
Setting name | Description |
---|---|
Type |
Select the type of certificate file to upload, either:
Other fields may appear depending on your selection. |
Certificate file |
Click Browse to locate the certificate file that you want to upload. This option is available only if Type is Certificate or Local Certificate. |
Key file |
Click Browse to locate the key file that you want to upload with the certificate. This option is available only if Type is Certificate. |
Certificate with key file |
Click Browse to locate the PKCS #12 certificate-with-key file that you want to upload. This option is available only if Type is PKCS12 Certificate. |
Password |
Type the password that was used to encrypt the file, enabling the FortiWeb appliance to decrypt and install the certificate. This option is available only if Type is Certificate or PKCS12 Certificate. |
4. Click OK.
5. To use a certificate, you must select it in a policy or server pool configuration (see Configuring a server policy or Creating a server pool).
If a server certificate is signed by an intermediate (non-root) certificate authority rather than a root CA, before the client will trust the server’s certificate, you must demonstrate a link with trusted root CAs, thereby proving that the server’s certificate is genuine. Otherwise, the server certificate may cause the end-user’s web browser to display certificate warnings.
If you did not append the signing chain inside the server certificate itself, you must configure the FortiWeb appliance to provide the certificates of intermediate CAs when it presents the server certificate.
The total file size of all certificates, private keys, and any other uploaded files may not exceed 12 MB. |
1. Go to System > Certificates > Intermediate CA.
You can click View Certificate Detail to view the selected certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions (purposes).
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
2. To upload a certificate, click Import.
A dialog appears.
3. Do one of the following to locate a certificate:
Select SCEP and enter the URL of the applicable Simple Certificate Enrollment Protocol server. (SCEP allows routers and other intermediate network devices to obtain certificates.)
To specify a specific certificate authority, enter an identifier in the field below the URL.
4. Click OK.
5. Go to System > Certificates > Intermediate CA Group.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
6. Click Create New.
A dialog appears.
7. In Name, type a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
8. Click OK.
9. Click Create New.
A dialog appears.
10. In ID, type the index number of the host entry within the group, or keep the field’s default value of auto
to let the FortiWeb appliance automatically assign the next available index number.
11. In CA, select the name of an intermediary CA’s certificate that you previously uploaded and want to add to the group.
12. Click OK.
13. Repeat the previous steps for each intermediary CA certificate that you want to add to the group.
14. To apply an intermediary CA certificate group, select it for Certificate Intermediate Group in a policy that uses HTTPS, with the server certificate that was signed by those CAs (see Configuring a server policy).
The FortiWeb appliance will present both the server’s certificate and those of the intermediate CAs when establishing a secure connection with the client.
In some cases, servers host multiple secure web sites that use a different certificate for each host. To allow FortiWeb to present the appropriate certificate for SSL offloading, you create a Server Name Indication (SNI) configuration that identifies the certificate to use by domain. The SNI configuration can also specify the client certificate verification to use for the specified domain, if the host requires it.
You can select a SNI configuration in a server policy only when FortiWeb is operating in reverse proxy mode and an HTTPS configuration is applied to the policy.
Not all web browsers support SNI. Go to the following location for a list of web browsers that support SNI:
http://en.wikipedia.org/wiki/Server_Name_Indication#Browsers_with_support_for_TLS_server_name_indication.5B10.5D
1. Go to System > Certificates > SNI.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
2. Click Create New.
3. For Name, type a name that can be referenced by other parts of the configuration. Do not use special characters. The maximum length is 63 characters.
4. Click OK.
5. Click Create New and configure these settings:
Setting name | Description |
---|---|
Domain | Specify the domain of the secure website (HTTPS) that uses the certificate specified by Local Certificate. |
Local Certificate | Select the server certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections for the web site specified by Domain. For more information, see Uploading a server certificate. |
Intermediate CA Group |
Select the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb presents to validate the CA signature of the certificate specified by Local Certificate. If clients receive certificate warnings that an intermediary CA has signed the server certificate configured in Local Certificate, rather than by a root CA or other CA currently trusted by the client directly, configure this option. For more information, see Grouping trusted CAs’ certificates. Alternatively, include the entire signing chain in the server certificate itself before you upload it to FortiWeb, which completes the chain of trust with a CA already known to the client. See Uploading a server certificate and Supplementing a server certificate with its signing chain. |
Certificate Verify |
Select the name of a certificate verifier, if any, that FortiWeb uses when an HTTP client presents its personal certificate to the web site specified by Domain. (If you do not select one, the client is not required to present a personal certificate. See also How to apply PKI client authentication (personal certificates).) Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the web site (PKI authentication). You can require that clients present a certificate instead of, or in addition to, HTTP authentication (see Offloaded authentication and optional SSO configuration). Note: The client must support SSL 3.0 or TLS 1.0. |
6. Click OK.
7. Repeat the member creation steps to add additional domains and the certificate and verifier associated with them to the SNI configuration. A SNI configuration can have up to 256 entries.
8. To use a SNI configuration, you select it in a server policy (see Configuring a server policy).