Secure connections (SSL/TLS) : How to offload or inspect HTTPS
 
How to offload or inspect HTTPS
Whether offloading or merely inspecting for HTTPS, FortiWeb must have a copy of your protected web servers’ X.509 server certificates. FortiWeb also has its own server certificate, which it uses to prove its own identity.
Which certificate will be used, and how, depends on the purpose.
For connections to the web UI — The FortiWeb appliance presents its own (“default” or “Fortinet_Factory”) certificate.
 
The FortiWeb appliance’s default certificate does not appear in the list of locally stored certificates. It is used only for connections to the web UI and cannot be removed.
For SSL offloading or SSL inspection — Server certificates do not belong to the FortiWeb appliance itself, but instead belong to the protected web servers. FortiWeb uses the web server’s certificate because it either acts as an SSL agent for the web server, or is privy to its secure connections for the purpose of scanning. You select which one the FortiWeb appliance uses when you configure Enable Server Name Indication (SNI) or Certificate in a policy (see “Configuring a server policy”) or Certificate File in a server pool (see “Uploading a server certificate”).
System > Certificates > Local displays all X.509 server certificates that are stored locally, on the FortiWeb appliance, for the purpose of offloading or scanning HTTPS.
Table 39: System > Certificates > Local
Button/field
Description
Generate
Click to generate a certificate signing request. For details, see “Generating a certificate signing request”.
Import
Click to upload a certificate. For details, see “Uploading a server certificate”.
View Certificate Detail
Click to view the selected certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions.
Download
Click to download the selected CSR’s entry in certificate signing request (.csr) file format.
This button is disabled unless the currently selected file is a CSR.
Edit Comments
Click to add or modify the comment associated with the selected certificate.
(No label. Check box in column heading.)
Click to mark all check boxes in the column, selecting all entries.
To select an individual entry, instead, mark the check box in the entry’s row.
Name
Displays the name of the certificate.
Subject
Displays the distinguished name (DN) located in the Subject: field of the certificate.
If the row contains a certificate request which has not yet been signed, this field is empty.
Comments
Displays the description of the certificate, if any. Click the Edit Comments icon to add or modify the comment associated with the certificate or certificate signing request.
Status
Displays the status of the certificate.
OK — Indicates that the certificate was successfully imported. To use the certificate, select it in a server policy or server pool configuration.
PENDING — Indicates that the certificate request has been generated, but must be downloaded, signed, and imported before it can be used as a server certificate.
FortiWeb presents a server certificate when any client requests a secure connection, including when:
Administrators connect to the web UI (HTTPS connections only)
Clients use SSL or TLS to connect to a virtual server, if you enabled SSL offloading in the policy (HTTPS connections and reverse proxy mode only)
Although they do not present a certificate during SSL/TLS inspection, FortiWeb still requires server certificates in order to decrypt and scan HTTPS connections travelling through it (SSL inspection) if operating in any mode except reverse proxy. Otherwise, FortiWeb will not be able to scan the traffic, and will not be able to protect that web server.
If you want clients to be able to use HTTPS with your web site, but your web site does not already have a server certificate to represent its authenticity, you must first generate a certificate signing request (see “Generating a certificate signing request”). Otherwise, start with “Uploading a server certificate”.
See also
Global web UI & CLI settings
How operation mode affects server policy behavior
Creating a server pool
Generating a certificate signing request
Uploading a server certificate
Offloading vs. inspection
Supported cipher suites & protocol versions
Uploading trusted CAs’ certificates