Secure connections (SSL/TLS) : How to apply PKI client authentication (personal certificates) : Use URLs to determine whether a client is required to present a certificate
 
Use URLs to determine whether a client is required to present a certificate
You can use Certificate Verification in a server policy (reverse proxy mode) or server pool configuration (true transparent proxy) to require clients to present a personal certificate. When you select a value for this setting, all clients are required to present a personal certificate.
Alternatively, you can configure the URL-based client certificate feature in a server policy or server pool, which allows you to require a certificate for some requests and not for others. Whether a client is required to present a personal certificate or not is based on the requested URL and the rules you specify in the URL-based client certificate group.
A URL-based client certificate group specifies the URLs to match and whether the matched request is required to present a certificate or exempt from presenting a certificate.
When the URL-based client certificate feature is enabled, clients are not required to present a certificate if the request URL is specified as exempt in the URL-based client certificate group rule or URL of the request does not match a rule.
To configure a certificate validation rule
1. Go to System > Certificates > URL Certificate.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see “Permissions”.
2. Click Create New.
3. For Name, enter a name that can be referenced in other parts of the configuration.
4. Click OK.
5. Click Create New, and then complete the following settings:
Setting name
Description
URL
Specify the URL to match.
When the URL of a client request matches this value and Match is selected, FortiWeb requires the client to present a private certificate.
Match
Specifies whether client requests with the URL specified by URL are required to present a personal certificate.
If this option is not selected, client requests with the URL specified by URL are not required to present a personal certificate
6. Repeat the URL certificate member creation steps for any other URLs you require.
7. Click OK to close the URL certificate configuration.
8. To apply URL-based client certificate group, select it in a server policy or server pool cofiguration that includes a HTTPS service/SSL. For details, see “Configuring a server policy” or “Creating a server pool”.