Secure connections (SSL/TLS) : How to offload or inspect HTTPS : Uploading a server certificate : Allowing FortiWeb to support multiple server certificates
 
Allowing FortiWeb to support multiple server certificates
In some cases, servers host multiple secure web sites that use a different certificate for each host. To allow FortiWeb to present the appropriate certificate for SSL offloading, you create a Server Name Indication (SNI) configuration that identifies the certificate to use by domain. The SNI configuration can also specify the client certificate verification to use for the specified domain, if the host requires it.
You can select a SNI configuration in a server policy only when FortiWeb is operating in reverse proxy mode and an HTTPS configuration is applied to the policy.
Not all web browsers support SNI. Go to the following location for a list of web browsers that support SNI:
http://en.wikipedia.org/wiki/Server_Name_Indication#Browsers_with_support_for_TLS_server_name_indication.5B10.5D
To create a Server Name Indication (SNI) configuration
1. Go to System > Certificates > SNI.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see “Permissions”.
2. Click Create New.
3. For Name, type a name that can be referenced by other parts of the configuration. Do not use special characters. The maximum length is 63 characters.
4. Click OK.
5. Click Create New and configure these settings:
Setting name
Description
Domain
Specify the domain of the secure website (HTTPS) that uses the certificate specified by Local Certificate.
Local Certificate
Select the server certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections for the web site specified by Domain. For more information, see “Uploading a server certificate”.
Intermediate CA Group
Select the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb presents to validate the CA signature of the certificate specified by Local Certificate.
If clients receive certificate warnings that an intermediary CA has signed the server certificate configured in Local Certificate, rather than by a root CA or other CA currently trusted by the client directly, configure this option.
For more information, see “Grouping trusted CAs’ certificates”.
Alternatively, include the entire signing chain in the server certificate itself before you upload it to FortiWeb, which completes the chain of trust with a CA already known to the client. See “Uploading a server certificate” and “Supplementing a server certificate with its signing chain”.
Certificate Verify
Select the name of a certificate verifier, if any, that FortiWeb uses when an HTTP client presents its personal certificate to the web site specified by Domain. (If you do not select one, the client is not required to present a personal certificate. See also “How to apply PKI client authentication (personal certificates)”.)
Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the web site (PKI authentication).
You can require that clients present a certificate instead of, or in addition to, HTTP authentication (see “Offloading HTTP authentication & authorization”).
Note: The client must support SSL 3.0 or TLS 1.0.
6. Click OK.
7. Repeat the member creation steps to add additional domains and the certificate and verifier associated with them to the SNI configuration. A SNI configuration can have up to 256 entries.
8. To use a SNI configuration, you select it in a server policy (see “Configuring a server policy”).
See also
Supplementing a server certificate with its signing chain
Configuring a server policy
Creating a server pool
How to offload or inspect HTTPS