Fortinet black logo

Administration Guide

Uploading trusted CA certificates

Uploading trusted CA certificates

In order for FortiWeb to authenticate client certificates, you must upload trusted CA certificates to FortiWeb.

To be valid, a client certificate must:

  • Not be expired.
  • Not be revoked by a certificate revocation list (CRL).
  • Be signed by a certificate authority (CA) whose certificate you have imported into the FortiWeb appliance. For details, see "Uploading trusted CA certificates" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).
  • Contain a CA field whose value matches a CA’s certificate.
  • Contain an Issuer field whose value matches the Subject field in a CA’s certificate.

Certificate validation rules tell FortiWeb which set of CA certificates to use when it validates personal certificates. They also specify a CRL, if any, if the client’s certificate must be checked for revocation.

To use CA certificates in a certificate verification rule for PKI authentication, you'll need to create a CA group for the CA certificate(s) that you want to include.

To upload a CA’s certificate
  1. Obtain a copy of your CA’s certificate file.
  2. If you are using a commercial CA, your web browser should already contain a copy in its CA trust store. Export a copy of the file to your desktop or other folder.

    If you are using your own private CA, download a copy from your CA’s server. For example, on Windows Server 2003, you would go to:

    https://<ca-server_ipv4>/certsrv/

    where <ca-server_ipv4> is the IP address of your CA server. Log in as Administrator. Other accounts may not have sufficient privileges. The Microsoft Certificate Services home page for your server’s CA should appear, and you can download a CA certificate, certificate chain, or CRL from there.

    Verify that your private CA’s certificate does not contain its private keys. Disclosure of private keys compromises the security of your network, and will require you to revoke and regenerate all certificates signed by that CA.
  3. Go to Server Objects > Certificates > CA and select the CA tab.
  4. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see "Permissions" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

  5. Click Import to upload a certificate.
  6. Enable Local PC and browse to find a certificate file.
  7. Click OK.
  8. To use the CA certificate when validating clients’ personal certificates, select it in a CA certificate group, which is then selected in a certificate verification rule. For details, see To configure a CA certificate group.
To configure a CA certificate group
  1. Go to Server Objects > Certificates > CA and select the CA Group tab.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category.

  3. Click Create New.
  4. For Name, enter a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
  5. Click OK.
  6. Click Create New.
  7. For ID, FortiWeb automatically assigns the next available index number.
  8. For CA, select the name of a certificate authority’s certificate that you previously uploaded and want to add to the group.
  9. Enable Publish CA Distinguished Name to list only certificates related to the specified CA. This is beneficial when a client installs many certificates in its browser or when apps don't list client certificates. If you enable this option, also enable the option in a certificate validation rule. For details, see To configure a certificate validation rule.
  10. Click OK.
  11. To apply a CA group, select it in a certificate verification rule. For details, see To configure a certificate validation rule.

To configure a certificate validation rule
  1. Go to Server Objects > Certificates > Certificate Verify.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category.

  3. Click Create New.
  4. Configure these settings:
  5. Name Type a name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    CA Group Select the name of the CA Group you have created in the previous steps.
    CRL Group Select the name of an existing CRL Group, if any, to use to verify the revocation status of client certificates. For details, see "Revoking certificates" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).
    Publish CA Distinguished Name Enable to list only certificates related to the specified CA group. This is beneficial when a client installs many certificates in its browser or when apps don't list client certificates. If you enable this option, also enable the option in a CA group. For details, see "Grouping trusted CA certificates" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    Strictly Require Client Certificate

    Enable it so that FortiWeb requires a client to provide a client certificate during the SSL handshake. When enabled, if a client doesn't provide a client certificate during the SSL handshake, FortiWeb won't accept the request.

  6. Click OK.

Uploading trusted CA certificates

In order for FortiWeb to authenticate client certificates, you must upload trusted CA certificates to FortiWeb.

To be valid, a client certificate must:

  • Not be expired.
  • Not be revoked by a certificate revocation list (CRL).
  • Be signed by a certificate authority (CA) whose certificate you have imported into the FortiWeb appliance. For details, see "Uploading trusted CA certificates" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).
  • Contain a CA field whose value matches a CA’s certificate.
  • Contain an Issuer field whose value matches the Subject field in a CA’s certificate.

Certificate validation rules tell FortiWeb which set of CA certificates to use when it validates personal certificates. They also specify a CRL, if any, if the client’s certificate must be checked for revocation.

To use CA certificates in a certificate verification rule for PKI authentication, you'll need to create a CA group for the CA certificate(s) that you want to include.

To upload a CA’s certificate
  1. Obtain a copy of your CA’s certificate file.
  2. If you are using a commercial CA, your web browser should already contain a copy in its CA trust store. Export a copy of the file to your desktop or other folder.

    If you are using your own private CA, download a copy from your CA’s server. For example, on Windows Server 2003, you would go to:

    https://<ca-server_ipv4>/certsrv/

    where <ca-server_ipv4> is the IP address of your CA server. Log in as Administrator. Other accounts may not have sufficient privileges. The Microsoft Certificate Services home page for your server’s CA should appear, and you can download a CA certificate, certificate chain, or CRL from there.

    Verify that your private CA’s certificate does not contain its private keys. Disclosure of private keys compromises the security of your network, and will require you to revoke and regenerate all certificates signed by that CA.
  3. Go to Server Objects > Certificates > CA and select the CA tab.
  4. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see "Permissions" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

  5. Click Import to upload a certificate.
  6. Enable Local PC and browse to find a certificate file.
  7. Click OK.
  8. To use the CA certificate when validating clients’ personal certificates, select it in a CA certificate group, which is then selected in a certificate verification rule. For details, see To configure a CA certificate group.
To configure a CA certificate group
  1. Go to Server Objects > Certificates > CA and select the CA Group tab.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category.

  3. Click Create New.
  4. For Name, enter a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
  5. Click OK.
  6. Click Create New.
  7. For ID, FortiWeb automatically assigns the next available index number.
  8. For CA, select the name of a certificate authority’s certificate that you previously uploaded and want to add to the group.
  9. Enable Publish CA Distinguished Name to list only certificates related to the specified CA. This is beneficial when a client installs many certificates in its browser or when apps don't list client certificates. If you enable this option, also enable the option in a certificate validation rule. For details, see To configure a certificate validation rule.
  10. Click OK.
  11. To apply a CA group, select it in a certificate verification rule. For details, see To configure a certificate validation rule.

To configure a certificate validation rule
  1. Go to Server Objects > Certificates > Certificate Verify.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category.

  3. Click Create New.
  4. Configure these settings:
  5. Name Type a name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    CA Group Select the name of the CA Group you have created in the previous steps.
    CRL Group Select the name of an existing CRL Group, if any, to use to verify the revocation status of client certificates. For details, see "Revoking certificates" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).
    Publish CA Distinguished Name Enable to list only certificates related to the specified CA group. This is beneficial when a client installs many certificates in its browser or when apps don't list client certificates. If you enable this option, also enable the option in a CA group. For details, see "Grouping trusted CA certificates" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    Strictly Require Client Certificate

    Enable it so that FortiWeb requires a client to provide a client certificate during the SSL handshake. When enabled, if a client doesn't provide a client certificate during the SSL handshake, FortiWeb won't accept the request.

  6. Click OK.