Configuring FortiWeb to validate client certificates

Secure connections (SSL/TLS) : How to apply PKI client authentication (personal certificates) : Configuring FortiWeb to validate client certificates

To be valid, a client certificate must:

• not be expired or not yet valid

• not be revoked by a certificate revocation list (CRL)

• be signed by a certificate authority (CA) whose certificate you have imported into the FortiWeb appliance (see “Uploading trusted CAs’ certificates”);

• contain a CA field whose value matches a CA’s certificate

• contain an Issuer field whose value matches the Subject field in a CA’s certificate

If the client presents an invalid certificate during PKI authentication for HTTPS, FortiWeb does not allow the connection.

Certificate validation rules (in the web UI, these are called certificate verification rules) tell FortiWeb which set of CA certificates to use when it validates personal certificates. They also specify a CRL, if any, if the client’s certificate must be checked for revocation.

Alternatively, if you have enabled SNI in a server policy or server pool, FortiWeb uses the set of CA certificates specified in the SNI configuration that matches the client request to validate personal certificates.

If you configure the URL-based client certificate feature in a server policy or group, the rules in the specified URL-based client certificate group determine whether a client is required to present a personal certificate.

To configure a certificate validation rule

1. Before you can configure a certificate validation rule, you must first configure a CA group (see “Grouping trusted CAs’ certificates”). You may also need to upload a CRL file (see “Revoking certificates”) if you need to explicitly revoke some invalid or compromised certificates.

2. Go to System > Certificates > Certificate Verify.

To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see “Permissions”.

3. Click Create New.

A dialog appears.

4. Configure these settings:


Setting name		Description
Name		Type a name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
CA Group		Select the name of an existing CA group that you want to use to authenticate client certificates. See “Grouping trusted CAs’ certificates”.
CRL		Select the name of an existing certificate revocation list, if any, to use to verify the revocation status of client certificates. See “Revoking certificates”.

5. Click OK.

6. To apply a certificate verification rule, do one of the following:

• Select it for Certificate Verification in a server policy or server pool cofiguration that includes HTTPS service. For details, see “Configuring a server policy” or “Creating a server pool”.

• Select it for Certificate Verify in an SNI configuration. For details, see “Allowing FortiWeb to support multiple server certificates”.

When a client connects to the web site, after FortiWeb presents its own server certificate, it will request one from the client.The web browser should display a prompt, allowing the person to indicate which personal certificate he or she wants to present.

Figure 53: A personal certificate prompt in Microsoft Internet Explorer 9


	If the connection fails when you have selected a certificate verifier, verify that the certificate meets the web browser’s requirements. Web browsers may have their own certificate validation requirements in addition to FortiWeb's requirements. For example, personal certificates for client authentication may be required to either: • not be restricted in usage/purpose by the CA, or • contain a Key Usage field that contains a Digital Signature or have a ExtendedKeyUsage or EnhancedKeyUsage field whose value contains Client Authentication If the certificate does not satisfy browser requirements, although it may be installed in the client’s store, when the FortiWeb appliance requests the client’s certificate, the browser may not present a certificate selection dialog to the user, or the dialog may not contain that certificate. In that case, verification will fail. For browser requirements, see your web browser’s documentation.

When a PKI authentication attempt fails, if you have enabled logging, attack log messages will be recorded. Messages vary by the cause of the error. Common messages are:

X509 Error 20 - Issuer certificate could not be found (FortiWeb does not have the certificate of the CA that signed the personal certificate, and therefore cannot verify the personal certificate; see “Uploading trusted CAs’ certificates”)

X509 Error 52 - Get client certificate failed (the client did not present its personal certificate to FortiWeb, which could be caused by the client not having its personal certificate properly installed; see “How to apply PKI client authentication (personal certificates)”)

X509 Error 53 - Protocol error (various causes, but could be due to the client and FortiWeb having no mutually understood cipher suite or protocol version during the SSL/TLS handshake)

For more logs, see the FortiWeb Log Reference.