Fortinet black logo

Handbook

Home FortiADC 7.4.1 Handbook
7.4.1
7.4.3
7.4.2
7.4.1
7.4.0
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.1
6.0.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.7

Importing a local certificate

Importing a local certificate

You can import (upload) local certificates and their private key files into the FortiADC system to allow FortiADC to authenticate client certificates.

The following types of X.509 server certificates and private keys are supported:

  • Base64-encoded
  • PKCS #12 RSA-encrypted

After you have downloaded the local certificate and private key files, you can import them into the FortiADC system.

Alternatively, you can select the automated certificate type to use the ACME service to get the SSL/TLS certificates from Let's Encrypt or other ACME providers. Certificates imported through Let's Encrypt have a ninety-day lifetime (which may differ from other ACME providers). These certificates must be renewed prior to expiration. FortiADC supports the TLS-ALPN-01 and DNS-01 challenge types. The TLS-ALPN-01 challenge supports automatic certificate renewal. The DNS-01 challenge requires manual certificate renewal, however, only the DNS-01 challenge can issue certificates containing wildcard domain names.

Before you begin:
  • You must have Read-Write permission for System settings.
To import a local certificate through file upload or using the ACME protocol:
  1. Go to System > Manage Certificates.
  2. Click the Local Certificate tab.
  3. Click Import to display the configuration editor.
  4. Select the local certificate Type from the drop-down menu.
    • Certificate — Use this option only if you have a certificate and its key in separate files.
    • PKCS12 Certificate — Use this option only if you have a PKCS #12 password-encrypted certificate with its key in the same file.
    • Local CSR Certificate — Use this option only if you have a CA-signed certificate that was originated from a CSR generated in FortiADC. See Importing a local certificate.
      Note: Ensure that the load-balancer (FortiADC appliance) you use to import a local certificate is the same appliance where the CSR was generated as that is where the key matching the certificate resides. The import operation will fail without the matching key on the same hardware system.
    • Automated — Use this option if you want to use the ACME protocol to get the certificates from Let's Encrypt or other ACME providers.
  5. Configure the following settings based on the local certificate Type.

    Setting

    Description

    Certificate
    Certificate NameSpecify the certificate name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.
    Certificate FileBrowse for and upload the certificate file that you want to use.
    Input Type

    Select either of the following:

    • Upload

    • Manual Input

    Certificate File

    The Certificate File option appears if the Input Type is Upload.

    Browse for and upload the certificate file that you want to use.

    Key File

    The Key File option appears if the Input Type is Upload.

    Browse for and upload the corresponding key file.

    Certificate

    The Certificate File option appears if the Input Type is Manual.

    Paste the contents of the certificate file into the text box.

    Key

    The Certificate File option appears if the Input Type is Manual.

    Paste the contents of the key file into the text box.

    Password Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC.
    PKCS12 Certificate
    Certificate NameSpecify the certificate name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.
    Certificate FileBrowse for and upload the certificate file that you want to use.
    Password Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC.
    Local CSR Certificate
    Certificate FileBrowse for and upload the certificate file that you want to use.
    Automated
    Certificate Name

    Specify the certificate name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.

    Note: If the Challenge Type is TLS-ALPN-01, the Certificate Name must match the name of the "placeholder" certificate that is linked to the HTTPS virtual server. For details, see Fulfilling the ACME TLS-ALPN-01 challenge.

    Domain Name

    Specify the web server domain to be protected by the certificate.

    Note: If the Challenge Type is TLS-ALPN-01, the Domain Name must be from the HTTPS virtual server that is linked to the "placeholder" certificate. For details, see Fulfilling the ACME TLS-ALPN-01 challenge.

    Email

    Enter the email address that will receive notifications regarding the status of the certificate.

    Depending on which ACME service provider you use, you may receive notification for when the certificate request has been approved through the Certificated Services or when the certificate is due to expire.

    Key Type

    Select either of the following:

    • RSA
    • ECDSA

    Note: If the Challenge Type is TLS-ALPN-01, the Key Type must match the key type of the "placeholder" certificate that is linked to the HTTPS virtual server. For details, see Fulfilling the ACME TLS-ALPN-01 challenge.

    Key Size

    The Key Size option appears if the Key Type is RSA.

    Select one of the following key sizes:

    • 2048 bit

    • 3072 bit

    • 4096 bit

    Curve Name

    The Key Size option appears if the Key Type is ECDSA.

    Select one of the following curve names:

    • prime256v1

    • secp384r1

    • secp521r1

    Password Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC.

    CA Group

    Specify the name of the CA Group. FortiADC will use the CA certificate in the CA Group to verify the certificate sent by the ACME provider.

    From the drop-down, you may select previously configured CA Group or select Create New to create and configure a CA Group directly.

    ACME Service

    Select either of the following:

    ACME Server URL

    The ACME Server URL option appears if the ACME Service is Other.

    Specify the URL of the ACME server. The ACME request URL must begin with "https://".

    After you have obtained the ACME certificate from your chosen ACME service provider, you will need to provide the ACME server URL to connect to FortiADC. This will enable FortiADC to act as the ACME client to send the ACME request and receive the ACME certificate/key.

    Note: The ACME server URL is unique to the ACME service provider. Please refer to the documentation from your ACME provider for further information.

    Challenge Type

    The ACME server requires validation that you control the domain names in the certificate using "challenges" as defined by the ACME standard. FortiADC supports the TLS-ALPN-01 and DNS-01 challenge types.

    Select either of the following challenge types:

    • TLS-ALPN-01 — The TLS-ALPN-01 supports automatic certificate renewal. However, this method cannot be used to validate wildcard domains. To use this challenge type, you will need to make preparations to fulfill the challenge before completing the certificate import configurations (for details, see Fulfilling the ACME TLS-ALPN-01 challenge).

    • DNS-01 — The DNS-01 challenge can be used to issue certificates containing wildcard domain names. To use this challenge type, you will need to take steps to fulfill the challenge after completing the certificate import configurations (for details, see Fulfilling the ACME DNS-01 challenge). Certificates imported using the DNS-01 challenge need to be manually renewed.

    Renew Window

    The Renew Window option appears if the Challenge Type is TLS-ALPN-01.

    Specify a renew window (in minutes) to automatically renew the certificate before it expires. (Range: 0-43200 minutes). Setting the renew window to 0 will disable the automatic certificate renewal.

    Challenge Wait Time

    The Challenge Wait Time option appears if the Challenge Type is DNS-01.

    Specify the ACME DNS-01 challenge wait time in minutes. (Range: 1-1440 minutes).

    The ACME DNS-01 challenge wait time refers to the amount of time you will have to fulfill the DNS-01 challenge. A longer challenge wait time is recommended to ensure enough time is allotted to perform the required Public DNS configuration changes and for the changes to take effect.

    For more information, see Fulfilling the ACME DNS-01 challenge.

  6. Click Save.

Fulfilling the ACME DNS-01 challenge

The DNS-01 challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name.

After you have saved your automated local certificate configuration, the ACME DNS challenge information is generated. With this information, you will configure your Public DNS Service to create the TXT record.

Certificates generated by the ACME DNS-01 challenge cannot be renewed automatically. Please manually renew the certificate before it expires.
To add the record the DNS challenge information to the Public DNS Service:
  1. Obtain the ACME DNS challenge information using either of the following methods.
    • After you save your automated local certificate configuration, you will be shown the challenge information. Save this information for use later.
    • In the Local Certificate page, locate the local certificate record and click the (View icon) to see the details.
  2. Login to your DNS service provider and go to your DNS Domain management page.
  3. Add a record and input the challenge information into the corresponding fields.

    Name_ACME-CHALLENGE is a fixed value.
    TypeSet the record type as TXT.
    TTLSet this to the default value.
    TargetPaste the content from your ACME DNS-01 challenge information.
  4. Save the changes.
    The DNS configuration changes may take several minutes to take effect.

The ACME provider will then query the DNS system for that record to find a match. If there is a match, the ACME certificate passes validation (certificate status will progress from Pending → OK). However, if the record is not found within the specified challenge wait time then the certificate validation fails (certificate status is Fail).

If the certificate validation fails, then you will need to delete the record and import a new automated local certificate to try again.

It is recommended to set a longer challenge wait time to allow enough time for the DNS configuration changes to take effect. If the DNS configuration changes has not taken effect at the time the ACME provider queries the DNS system for the TXT record, then the validation will fail. Various factors may influence the speed of the DNS (such as the DNS service provider, network speed, network traffic), so the DNS configuration changes may take as long as 20 minutes to take effect.

Fulfilling the ACME TLS-ALPN-01 challenge

In FortiADC, to fulfill the TLS-ALPN-01 challenge, the ACME server validates control of the domain name by connecting to the Virtual Server at one of the addresses resolved for the domain name. This is achieved by linking a certificate to an HTTPS virtual server to allow the ACME server resolving domain to point to its IP. Then FortiADC generates a temporary certificate to fulfill the validation.

Before configuring an automated certificate using the TLS-ALPN-01 challenge, you must set up the following:

  • A valid local certificate that functions as a placeholder

  • An HTTPS virtual server to link the placeholder certificate

Once the placeholder certificate has been linked to the HTTPS virtual server, you will then use the placeholder certificate name and the domain name from the virtual server to import the automated certificate using the TLS-ALPN-01 challenge. This certificate then replaces the placeholder certificate so that it will be linked to the HTTPS virtual server to fulfill the TLS-ALPN-01 challenge.

To prepare the placeholder certificate and HTTPS virtual server for the ACME TLS-ALPN-01 challenge:
  1. Generate or import a local certificate. This certificate must be valid (Status is OK). Ensure the Key Type of this placeholder certificate matches the key type of the automated certificate you intend to import. In the example below, the placeholder certificate is RSA, so the automated certificate you will be importing must also be RSA. Record the certificate name for use in later steps. For details, see Importing a local certificate or Importing a local certificate.

    Note: If importing a local certificate, you should only import the following certificate types: Certificate, PKCS12 Certificate and Local CSR Certificate. As the placeholder certificate must be valid, it is not recommended to use an Automated certificate type for this purpose since this type of certificate cannot be valid until the ACME challenge is fulfilled.
  2. Create a local certificate group and add the placeholder certificate you have created previously under this certificate group. Select the placeholder certificate from the Local Certificate drop-down and leave all other parameters as default. Record the certificate group name for use in later steps. For details, see Creating a local certificate group.
  3. Create a Client SSL profile and add the certificate group you have created previously as the Local Certificate Group. Record the Client SSL profile name for use in later steps. For details, see Configuring client SSL profiles.
  4. Create an HTTPS virtual server. Apply the Client SSL profile you have created previously. For details, see Configuring virtual servers.
    The Address of this HTTPS virtual server must be associated to a domain to ensure it can be reached by the ACME provider. It is recommended that this domain be registered at a DNS service provider so you can set the domain to point to a specific IP address. Record the domain for use in later steps.
  5. Import the automated certificate using the TLS-ALPN-01 challenge type.
    Input the information for the following settings according to the guidelines below.

    Setting

    Guideline

    Certificate NameThe name must match the name of the placeholder certificate. Once this automated certificate configuration is completed, it will replace the placeholder certificate.
    Domain Name

    Input the domain of the HTTPS virtual server that has been linked to the placeholder certificate. The ACME provider will reach this domain that points to the HTTPS virtual server IP address.

    Key Type

    The Key Type must match the placeholder certificate.

Previous
Next

Importing a local certificate

You can import (upload) local certificates and their private key files into the FortiADC system to allow FortiADC to authenticate client certificates.

The following types of X.509 server certificates and private keys are supported:

  • Base64-encoded
  • PKCS #12 RSA-encrypted

After you have downloaded the local certificate and private key files, you can import them into the FortiADC system.

Alternatively, you can select the automated certificate type to use the ACME service to get the SSL/TLS certificates from Let's Encrypt or other ACME providers. Certificates imported through Let's Encrypt have a ninety-day lifetime (which may differ from other ACME providers). These certificates must be renewed prior to expiration. FortiADC supports the TLS-ALPN-01 and DNS-01 challenge types. The TLS-ALPN-01 challenge supports automatic certificate renewal. The DNS-01 challenge requires manual certificate renewal, however, only the DNS-01 challenge can issue certificates containing wildcard domain names.

Before you begin:
  • You must have Read-Write permission for System settings.
To import a local certificate through file upload or using the ACME protocol:
  1. Go to System > Manage Certificates.
  2. Click the Local Certificate tab.
  3. Click Import to display the configuration editor.
  4. Select the local certificate Type from the drop-down menu.
    • Certificate — Use this option only if you have a certificate and its key in separate files.
    • PKCS12 Certificate — Use this option only if you have a PKCS #12 password-encrypted certificate with its key in the same file.
    • Local CSR Certificate — Use this option only if you have a CA-signed certificate that was originated from a CSR generated in FortiADC. See Importing a local certificate.
      Note: Ensure that the load-balancer (FortiADC appliance) you use to import a local certificate is the same appliance where the CSR was generated as that is where the key matching the certificate resides. The import operation will fail without the matching key on the same hardware system.
    • Automated — Use this option if you want to use the ACME protocol to get the certificates from Let's Encrypt or other ACME providers.
  5. Configure the following settings based on the local certificate Type.

    Setting

    Description

    Certificate
    Certificate NameSpecify the certificate name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.
    Certificate FileBrowse for and upload the certificate file that you want to use.
    Input Type

    Select either of the following:

    • Upload

    • Manual Input

    Certificate File

    The Certificate File option appears if the Input Type is Upload.

    Browse for and upload the certificate file that you want to use.

    Key File

    The Key File option appears if the Input Type is Upload.

    Browse for and upload the corresponding key file.

    Certificate

    The Certificate File option appears if the Input Type is Manual.

    Paste the contents of the certificate file into the text box.

    Key

    The Certificate File option appears if the Input Type is Manual.

    Paste the contents of the key file into the text box.

    Password Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC.
    PKCS12 Certificate
    Certificate NameSpecify the certificate name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.
    Certificate FileBrowse for and upload the certificate file that you want to use.
    Password Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC.
    Local CSR Certificate
    Certificate FileBrowse for and upload the certificate file that you want to use.
    Automated
    Certificate Name

    Specify the certificate name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.

    Note: If the Challenge Type is TLS-ALPN-01, the Certificate Name must match the name of the "placeholder" certificate that is linked to the HTTPS virtual server. For details, see Fulfilling the ACME TLS-ALPN-01 challenge.

    Domain Name

    Specify the web server domain to be protected by the certificate.

    Note: If the Challenge Type is TLS-ALPN-01, the Domain Name must be from the HTTPS virtual server that is linked to the "placeholder" certificate. For details, see Fulfilling the ACME TLS-ALPN-01 challenge.

    Email

    Enter the email address that will receive notifications regarding the status of the certificate.

    Depending on which ACME service provider you use, you may receive notification for when the certificate request has been approved through the Certificated Services or when the certificate is due to expire.

    Key Type

    Select either of the following:

    • RSA
    • ECDSA

    Note: If the Challenge Type is TLS-ALPN-01, the Key Type must match the key type of the "placeholder" certificate that is linked to the HTTPS virtual server. For details, see Fulfilling the ACME TLS-ALPN-01 challenge.

    Key Size

    The Key Size option appears if the Key Type is RSA.

    Select one of the following key sizes:

    • 2048 bit

    • 3072 bit

    • 4096 bit

    Curve Name

    The Key Size option appears if the Key Type is ECDSA.

    Select one of the following curve names:

    • prime256v1

    • secp384r1

    • secp521r1

    Password Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC.

    CA Group

    Specify the name of the CA Group. FortiADC will use the CA certificate in the CA Group to verify the certificate sent by the ACME provider.

    From the drop-down, you may select previously configured CA Group or select Create New to create and configure a CA Group directly.

    ACME Service

    Select either of the following:

    ACME Server URL

    The ACME Server URL option appears if the ACME Service is Other.

    Specify the URL of the ACME server. The ACME request URL must begin with "https://".

    After you have obtained the ACME certificate from your chosen ACME service provider, you will need to provide the ACME server URL to connect to FortiADC. This will enable FortiADC to act as the ACME client to send the ACME request and receive the ACME certificate/key.

    Note: The ACME server URL is unique to the ACME service provider. Please refer to the documentation from your ACME provider for further information.

    Challenge Type

    The ACME server requires validation that you control the domain names in the certificate using "challenges" as defined by the ACME standard. FortiADC supports the TLS-ALPN-01 and DNS-01 challenge types.

    Select either of the following challenge types:

    • TLS-ALPN-01 — The TLS-ALPN-01 supports automatic certificate renewal. However, this method cannot be used to validate wildcard domains. To use this challenge type, you will need to make preparations to fulfill the challenge before completing the certificate import configurations (for details, see Fulfilling the ACME TLS-ALPN-01 challenge).

    • DNS-01 — The DNS-01 challenge can be used to issue certificates containing wildcard domain names. To use this challenge type, you will need to take steps to fulfill the challenge after completing the certificate import configurations (for details, see Fulfilling the ACME DNS-01 challenge). Certificates imported using the DNS-01 challenge need to be manually renewed.

    Renew Window

    The Renew Window option appears if the Challenge Type is TLS-ALPN-01.

    Specify a renew window (in minutes) to automatically renew the certificate before it expires. (Range: 0-43200 minutes). Setting the renew window to 0 will disable the automatic certificate renewal.

    Challenge Wait Time

    The Challenge Wait Time option appears if the Challenge Type is DNS-01.

    Specify the ACME DNS-01 challenge wait time in minutes. (Range: 1-1440 minutes).

    The ACME DNS-01 challenge wait time refers to the amount of time you will have to fulfill the DNS-01 challenge. A longer challenge wait time is recommended to ensure enough time is allotted to perform the required Public DNS configuration changes and for the changes to take effect.

    For more information, see Fulfilling the ACME DNS-01 challenge.

  6. Click Save.

Fulfilling the ACME DNS-01 challenge

The DNS-01 challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name.

After you have saved your automated local certificate configuration, the ACME DNS challenge information is generated. With this information, you will configure your Public DNS Service to create the TXT record.

Certificates generated by the ACME DNS-01 challenge cannot be renewed automatically. Please manually renew the certificate before it expires.
To add the record the DNS challenge information to the Public DNS Service:
  1. Obtain the ACME DNS challenge information using either of the following methods.
    • After you save your automated local certificate configuration, you will be shown the challenge information. Save this information for use later.
    • In the Local Certificate page, locate the local certificate record and click the (View icon) to see the details.
  2. Login to your DNS service provider and go to your DNS Domain management page.
  3. Add a record and input the challenge information into the corresponding fields.

    Name_ACME-CHALLENGE is a fixed value.
    TypeSet the record type as TXT.
    TTLSet this to the default value.
    TargetPaste the content from your ACME DNS-01 challenge information.
  4. Save the changes.
    The DNS configuration changes may take several minutes to take effect.

The ACME provider will then query the DNS system for that record to find a match. If there is a match, the ACME certificate passes validation (certificate status will progress from Pending → OK). However, if the record is not found within the specified challenge wait time then the certificate validation fails (certificate status is Fail).

If the certificate validation fails, then you will need to delete the record and import a new automated local certificate to try again.

It is recommended to set a longer challenge wait time to allow enough time for the DNS configuration changes to take effect. If the DNS configuration changes has not taken effect at the time the ACME provider queries the DNS system for the TXT record, then the validation will fail. Various factors may influence the speed of the DNS (such as the DNS service provider, network speed, network traffic), so the DNS configuration changes may take as long as 20 minutes to take effect.

Fulfilling the ACME TLS-ALPN-01 challenge

In FortiADC, to fulfill the TLS-ALPN-01 challenge, the ACME server validates control of the domain name by connecting to the Virtual Server at one of the addresses resolved for the domain name. This is achieved by linking a certificate to an HTTPS virtual server to allow the ACME server resolving domain to point to its IP. Then FortiADC generates a temporary certificate to fulfill the validation.

Before configuring an automated certificate using the TLS-ALPN-01 challenge, you must set up the following:

  • A valid local certificate that functions as a placeholder

  • An HTTPS virtual server to link the placeholder certificate

Once the placeholder certificate has been linked to the HTTPS virtual server, you will then use the placeholder certificate name and the domain name from the virtual server to import the automated certificate using the TLS-ALPN-01 challenge. This certificate then replaces the placeholder certificate so that it will be linked to the HTTPS virtual server to fulfill the TLS-ALPN-01 challenge.

To prepare the placeholder certificate and HTTPS virtual server for the ACME TLS-ALPN-01 challenge:
  1. Generate or import a local certificate. This certificate must be valid (Status is OK). Ensure the Key Type of this placeholder certificate matches the key type of the automated certificate you intend to import. In the example below, the placeholder certificate is RSA, so the automated certificate you will be importing must also be RSA. Record the certificate name for use in later steps. For details, see Importing a local certificate or Importing a local certificate.

    Note: If importing a local certificate, you should only import the following certificate types: Certificate, PKCS12 Certificate and Local CSR Certificate. As the placeholder certificate must be valid, it is not recommended to use an Automated certificate type for this purpose since this type of certificate cannot be valid until the ACME challenge is fulfilled.
  2. Create a local certificate group and add the placeholder certificate you have created previously under this certificate group. Select the placeholder certificate from the Local Certificate drop-down and leave all other parameters as default. Record the certificate group name for use in later steps. For details, see Creating a local certificate group.
  3. Create a Client SSL profile and add the certificate group you have created previously as the Local Certificate Group. Record the Client SSL profile name for use in later steps. For details, see Configuring client SSL profiles.
  4. Create an HTTPS virtual server. Apply the Client SSL profile you have created previously. For details, see Configuring virtual servers.
    The Address of this HTTPS virtual server must be associated to a domain to ensure it can be reached by the ACME provider. It is recommended that this domain be registered at a DNS service provider so you can set the domain to point to a specific IP address. Record the domain for use in later steps.
  5. Import the automated certificate using the TLS-ALPN-01 challenge type.
    Input the information for the following settings according to the guidelines below.

    Setting

    Guideline

    Certificate NameThe name must match the name of the placeholder certificate. Once this automated certificate configuration is completed, it will replace the placeholder certificate.
    Domain Name

    Input the domain of the HTTPS virtual server that has been linked to the placeholder certificate. The ACME provider will reach this domain that points to the HTTPS virtual server IP address.

    Key Type

    The Key Type must match the placeholder certificate.

Previous
Next