How to offload or scan SSL/TLS in HTTPS

Whether offloading or merely inspecting for HTTPS, FortiWeb must have your protected web server’s X.509 server certificate. It also has its own, default certificate.

Which certificate will be used, and how, depends on the purpose.

•	For connections to the web UI — The FortiWeb appliance presents its own default certificate.


	Note: The FortiWeb appliance’s default certificate does not appear in the list of locally stored certificates. It is used only for connections to the web UI and cannot be removed.

•

For SSL offloading or SSL inspection — Server certificates do not belong to the FortiWeb appliance itself, but instead belong to the protected web servers. FortiWeb either acts as an SSL agent for the web server, or is privy to its secure connections for the purpose of scanning. You must select which one the FortiWeb appliance will use when configuring Certificate in a policy (see “Configuring a server policy”) or Certificate File in a server farm (see “Uploading a server certificate”).

FortiWeb presents a server certificate when any client requests a secure connection, including when:

•	Administrators connect to the web UI (HTTPS connections only)

•	Clients use SSL or TLS to connect to a virtual server, if you enabled SSL offloading in the policy (HTTPS connections and reverse proxy mode only)

Although they do not present a certificate for inspection, FortiWeb also requires server certificates in order to decrypt and scan HTTPS connections travelling through it (SSL inspection) if operating in any mode except reverse proxy. Otherwise, FortiWeb will not be able to decrypt and scan the traffic.

If you want clients to be able to use HTTPS with your web site, but your web site does not already have a server certificate to represent its authenticity, you must first generate a certificate signing request (see “Generating a certificate signing request”). Otherwise, start with “Uploading a server certificate”.

System > Certificates > Local displays all X.509 server certificates that are stored locally, on the FortiWeb appliance, for the purpose of offloading or scanning HTTPS.

Table 32:

System > Certificates > Local

GUI item

Description

Generate

Click to generate a certificate signing request. For details, see “Generating a certificate signing request”.

Import

Click to upload a certificate. For details, see “Uploading a server certificate”.

View Certificate Detail

Click to view the selected certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions.

Download

Click to download the selected certificate’s entry in certificate (.cer) or certificate signing request (.csr) file format.

Edit Comments

Click to add or modify the comment associated with the selected certificate.

(No label. Check box in column heading.)

Click to mark all check boxes in the column, selecting all entries.

To select an individual entry, instead, mark the check box in the entry’s row.

Name

Displays the name of the certificate.

Subject

Displays the distinguished name (DN) located in the Subject: field of the certificate.

If the row contains a certificate request which has not yet been signed, this field is empty.

Comments

Displays the description of the certificate, if any. Click the Edit Comments icon to add or modify the comment associated with the certificate or certificate signing request.

Status

Displays the status of the certificate.

•	OK — Indicates that the certificate was successfully imported. To use the certificate, select it in a policy or server farm.

•	PENDING — Indicates that the certificate request has been generated, but must be downloaded, signed, and imported before it can be used as a server certificate.