FortiWeb may require you to provide certificates and CRLs even if your web sites’ clients do not use HTTPS to connect to the web sites.
For example, when it sends alert email via SMTPS or querying an authentication server via LDAPS or STARTTLS, FortiWeb validates the server’s certificate by comparing the server certificate’s CA signature with the certificates of CAs that are known and trusted by the FortiWeb appliance. See Uploading trusted CAs’ certificates and Revoking certificates.