Fortinet black logo

Handbook

Managing and validating certificates

Manage and validate certificates

This section includes the following topics:

Overview

The FortiADC system is able to process the following two types of TLS/SSL traffic:

  • System administration—Administrators connect to the web UI (HTTPS connections only). When you connect to the web UI, the system presents its own default “Factory” certificate. This certificate is used only for connections to the web UI. It cannot be removed. Do not use this certificate for server load balancing traffic.
  • Server load balancing—Clients use SSL or TLS to connect to a virtual server. When you use FortiADC as a proxy for SSL operations normally performed on the backend real servers, you must import the X.509 v3 server certificates and private keys that the backend servers would ordinarily use, as well as any certificate authority (CA) or intermediate CA certificates that are used to complete the chain of trust between your clients and your servers.

The FortiADC system supports all of the TLS/SSL administration methods commonly used by HTTPS servers, including:

  • Server name indication (SNI)—You can require clients to use the TLS extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client.
  • Local certificate store—A certificate store for the X.509 v3 server certificates and private keys that the backend servers would ordinarily use.
  • Intermediate CAs store—A store for Intermediate CAs that the backend servers would ordinarily use to complete the chain of server certificates. HTTPS transactions use intermediate CAs when the server certificate is signed by an intermediate certificate authority (CA) rather than a root CA.
  • Certificate Authorities (CAs) store—A store for CA certificates that the back-end servers would ordinarily use to verify the CA signature in client certificates or the signature of an OCSP Responder.
  • OCSP—Use Online Certificate Status Protocol (OCSP) to obtain the revocation status of certificates.
  • CRL—Use a Certificate Revocation List (CRL) to obtain the revocation status of certificates.
  • Certificate validation policy—You can configure certificate validation policies that use OCSP or CRL. These policies can be associated with load balancing profiles.
  • All digital certificates of RSA and ECDSA key types—whether they are local, remote, intermediate, or CA root certificates.
  • Multiple CA, CRL, and OCSP configurations.
  • Client certificate forwarding.
  • SNI forwarding.
  • Email alert on certificate expiration, CRL expiration, and OCSP stapling expiration.

Note: The factory certificate is the default certificate for any application over SSL/TSL. It is a unique certificate that presents the credentials of your FortiADC. Upon system start, FortiADC automatically generates a self-signed factory certificate with its identifier (i.e., common name) which is your FortiADC's serial number. For example, if a trial license is in use, then the common name (CN) for the factory.cer would be FADV0000000TRIAL; if the license is imported, the factory.cer would be FADV080000072226.

Certificates and their domains

You can generate or import certificates in the global domain (i.e., FortiADC appliance) and individual VDOM domains (i.e., virtual machines). The visibility and use of certificates or certificate groups may vary, depending where (the domain) they are created. Below are the general guidelines regarding the availability and use of certificates or certificate groups.

  • Local Certificates/intermediate Certificates—If generated or imported in a specific VDOM domain, they can be viewed and deleted in that VDOM only, but not visible in any other VDOM or the global domain; if generated or imported in the global domain, they can be viewed and downloaded by all VDOMS, but can be deleted only in the global domain.
  • Local Certificate Groups/Intermediate CA Groups—If added in a specific VDOM domain, they can be viewed, edited, or referenced in that VDOM domain only, but not visible in any other VDOMs or the global domain; if added in the global domain, they can be visible to all VDOM domains, but can be edited only in the global domain.
  • CA/CRL/OCSP Signing Certificates—If imported in a specific VDOM domain, they can be viewed or deleted only in that VDOM, but not visible in any other VDOM domain or the global domain; if imported in the global domain, they can be viewed or downloaded in all VDOM domains, but can be deleted only in the global domain.
  • Verify/CA Group/OCSP—If added in a specific VDOM domain, they can be viewed or edited or referenced to in that VDOM domain only, but not visible in any other VDOM domain or the global domain; if added in the global domain, they can be viewed or referenced to in all VDOMs, but can be edited only in the global domain.

Prerequisite tasks

You must download the certificates from your backend servers so that you can import them into the FortiADC system.

This example shows how to download a CA certificate from Microsoft Windows 2003.

To download a CA certificate from Microsoft Windows 2003 Server:
  1. Go to https://<ca-server_ipv4>/certsrv/.
  2. where <ca-server_ipv4> is the IP address of your CA server.

  3. Log in as Administrator. Other accounts may not have sufficient privileges.
  4. The Microsoft Certificate Services home page appears. Welcome page is an example of this page.

    Welcome page

  5. Click the Download CA certificate, certificate chain, or CRL link to display the Download a CA Certificate, Certificate Chain, or CRL page. Download a CA Certificate, Certificate Chain, or CRL page is an example of this page.
  6. From Encoding Method, select Base64.
  7. Click Download CA certificate.

Download a CA Certificate, Certificate Chain, or CRL page

Manage certificates

This section discusses the following tasks you can perform on the System > Certificate > Manage Certificates page:

Manage and validate certificates

This section includes the following topics:

Overview

The FortiADC system is able to process the following two types of TLS/SSL traffic:

  • System administration—Administrators connect to the web UI (HTTPS connections only). When you connect to the web UI, the system presents its own default “Factory” certificate. This certificate is used only for connections to the web UI. It cannot be removed. Do not use this certificate for server load balancing traffic.
  • Server load balancing—Clients use SSL or TLS to connect to a virtual server. When you use FortiADC as a proxy for SSL operations normally performed on the backend real servers, you must import the X.509 v3 server certificates and private keys that the backend servers would ordinarily use, as well as any certificate authority (CA) or intermediate CA certificates that are used to complete the chain of trust between your clients and your servers.

The FortiADC system supports all of the TLS/SSL administration methods commonly used by HTTPS servers, including:

  • Server name indication (SNI)—You can require clients to use the TLS extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client.
  • Local certificate store—A certificate store for the X.509 v3 server certificates and private keys that the backend servers would ordinarily use.
  • Intermediate CAs store—A store for Intermediate CAs that the backend servers would ordinarily use to complete the chain of server certificates. HTTPS transactions use intermediate CAs when the server certificate is signed by an intermediate certificate authority (CA) rather than a root CA.
  • Certificate Authorities (CAs) store—A store for CA certificates that the back-end servers would ordinarily use to verify the CA signature in client certificates or the signature of an OCSP Responder.
  • OCSP—Use Online Certificate Status Protocol (OCSP) to obtain the revocation status of certificates.
  • CRL—Use a Certificate Revocation List (CRL) to obtain the revocation status of certificates.
  • Certificate validation policy—You can configure certificate validation policies that use OCSP or CRL. These policies can be associated with load balancing profiles.
  • All digital certificates of RSA and ECDSA key types—whether they are local, remote, intermediate, or CA root certificates.
  • Multiple CA, CRL, and OCSP configurations.
  • Client certificate forwarding.
  • SNI forwarding.
  • Email alert on certificate expiration, CRL expiration, and OCSP stapling expiration.

Note: The factory certificate is the default certificate for any application over SSL/TSL. It is a unique certificate that presents the credentials of your FortiADC. Upon system start, FortiADC automatically generates a self-signed factory certificate with its identifier (i.e., common name) which is your FortiADC's serial number. For example, if a trial license is in use, then the common name (CN) for the factory.cer would be FADV0000000TRIAL; if the license is imported, the factory.cer would be FADV080000072226.

Certificates and their domains

You can generate or import certificates in the global domain (i.e., FortiADC appliance) and individual VDOM domains (i.e., virtual machines). The visibility and use of certificates or certificate groups may vary, depending where (the domain) they are created. Below are the general guidelines regarding the availability and use of certificates or certificate groups.

  • Local Certificates/intermediate Certificates—If generated or imported in a specific VDOM domain, they can be viewed and deleted in that VDOM only, but not visible in any other VDOM or the global domain; if generated or imported in the global domain, they can be viewed and downloaded by all VDOMS, but can be deleted only in the global domain.
  • Local Certificate Groups/Intermediate CA Groups—If added in a specific VDOM domain, they can be viewed, edited, or referenced in that VDOM domain only, but not visible in any other VDOMs or the global domain; if added in the global domain, they can be visible to all VDOM domains, but can be edited only in the global domain.
  • CA/CRL/OCSP Signing Certificates—If imported in a specific VDOM domain, they can be viewed or deleted only in that VDOM, but not visible in any other VDOM domain or the global domain; if imported in the global domain, they can be viewed or downloaded in all VDOM domains, but can be deleted only in the global domain.
  • Verify/CA Group/OCSP—If added in a specific VDOM domain, they can be viewed or edited or referenced to in that VDOM domain only, but not visible in any other VDOM domain or the global domain; if added in the global domain, they can be viewed or referenced to in all VDOMs, but can be edited only in the global domain.

Prerequisite tasks

You must download the certificates from your backend servers so that you can import them into the FortiADC system.

This example shows how to download a CA certificate from Microsoft Windows 2003.

To download a CA certificate from Microsoft Windows 2003 Server:
  1. Go to https://<ca-server_ipv4>/certsrv/.
  2. where <ca-server_ipv4> is the IP address of your CA server.

  3. Log in as Administrator. Other accounts may not have sufficient privileges.
  4. The Microsoft Certificate Services home page appears. Welcome page is an example of this page.

    Welcome page

  5. Click the Download CA certificate, certificate chain, or CRL link to display the Download a CA Certificate, Certificate Chain, or CRL page. Download a CA Certificate, Certificate Chain, or CRL page is an example of this page.
  6. From Encoding Method, select Base64.
  7. Click Download CA certificate.

Download a CA Certificate, Certificate Chain, or CRL page

Manage certificates

This section discusses the following tasks you can perform on the System > Certificate > Manage Certificates page: