SSL/TLS : How to offload or scan SSL/TLS in HTTPS : Uploading a server certificate
Uploading a server certificate
You can import (upload) either:
Base64-encoded
PKCS #12 RSA-encrypted
X.509 server certificates and private keys to the FortiWeb appliance.
 
DSA
Note: DSA-encrypted certificates are not supported if the FortiWeb appliance is operating in a mode other than reverse proxy. See “Supported features per operation mode”.
If a server certificate is signed by an intermediate certificate authority (CA) rather than a root CA, before clients will trust the server certificate, you must demonstrate a link with root CAs that the clients trust, thereby proving that the server certificate is genuine. You can demonstrate this chain of trust either by:
Appending a signing chain in the server certificate.
Uploading and configuring a signing chain separately (see “Supplementing a server certificate with its signing chain”).
Installing each intermediary CA’s certificate in clients’ trust store (list of trusted CAs).
Which method is best for you often depends on whether you have a convenient method for deploying CA certificates to clients, such as you may be able to for clients in an internal Microsoft Active Directory domain, and whether you often refresh the server certificate.
To append a signing chain in the certificate itself, before uploading the server certificate to the FortiWeb appliance
1
Open the certificate file in a plain text editor.
2
Append the certificate of each intermediary CA in order from the intermediary CA who signed the local certificate to the intermediary CA whose certificate was signed directly by a trusted root CA.
For example, a server’s certificate that includes a signing chain might use the following structure:
-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<certificate of intermediate CA 1, who signed the server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<certificate of intermediate CA 2, who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted root CA>
-----END CERTIFICATE-----
3
Save the certificate.
To upload a certificate
 
 
Note: The total file size of all certificates, Schema, keys, WSDL, and any other uploaded files may not exceed 12 MB.
1
Go to System > Certificates > Local.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see “Permissions”.
2
Click Import.
A dialog appears.
3
Configure these settings:
 
GUI item
Description
Type
Select the type of certificate file to upload, either:
Local Certificate — An unencrypted certificate in PEM format.
Certificate — An unencrypted certificate in PEM format. The key is in a separate file.
PKCS12 Certificate — A PKCS #12 encrypted certificate with key.
Other fields may appear depending on your selection.
Certificate file
Click Browse to locate the certificate file that you want to upload.
This option is available only if Type is Certificate or Local Certificate.
Key file
Click Browse to locate the key file that you want to upload with the certificate.
This option is available only if Type is Certificate.
Certificate with key file
Click Browse to locate the PKCS #12 certificate-with-key file that you want to upload.
This option is available only if Type is PKCS12 Certificate.
Password
Type the password that was used to encrypt the file, enabling the FortiWeb appliance to decrypt and install the certificate.
This option is available only if Type is Certificate or PKCS12 Certificate.
 
4
Click OK.
5
To use a certificate, you must select it in a policy or server farm (see “Configuring a server policy” or “Grouping your web servers into server farms”).

FortiWeb 4.0 MR4 Help
9 July 2012 · 7th Edition
© 2012 Fortinet, Inc. All rights reserved.
Latest documentation: http://docs.fortinet.com/
Document feedback: techdoc@fortinet.com
Technical Support: https://support.fortinet.com/