Fortinet black logo

Administration Guide

CA certificates

CA certificates

In order for FortiWeb to authenticate client certificates, you must upload trusted CA certificates to FortiWeb.

Importing CA certificate files locally

Certificate authorities (CAs) validate and sign others’ certificates. When FortiWeb needs to know whether a client or device’s certificate is genuine, it will examine the CA’s signature, comparing it with the copy of the CA’s certificate that you uploaded to determine if they were both made using the same private key. If they were, the CA’s signature is genuine, and therefore the client or device’s certificate is legitimate.

If the signing CA is not known, that CA’s own certificate must likewise be signed by one or more other intermediary CAs, until both the FortiWeb appliance and the client or device can demonstrate a signing chain that ultimately leads to a mutually trusted (shared “root”) CA that they have in common. Like a direct signature by a known CA, this proves that the certificate can be trusted. For information on how to include a signing chain, see Uploading a server certificate.

To use CA certificates in a certificate verification rule for PKI authentication or a Server Name Indication (SNI) configuration, you'll need to create a CA group for the CA certificate(s) that you want to include.

In addition to uploading CA certificates to include in a CA group, you can also upload European Union (EU) Trust Service Lists (TSL) (HTTPs://ec.europa.eu/digital-single-market/en/eu-trusted-lists-trust-service-providers). A TSL is a list of qualified trust service providers and services. Member states of the EU are obligated to publish lists of qualified trust providers and services that include lists of certificates and CAs for each trusted provider and service. You can upload a TSL in two ways:

  • Upload an XML file of the TSL.
  • Enter the distribution URL of the TSL.

When you upload a TSL, FortiWeb verifies X.509 certificates that the qualified service providers use to verify trusted services. You'll also need to add each TSL into a CA group. For details, see To upload a European Union Trusted Service List.

Until you upload at least one CA certificate, FortiWeb can't validate any other client or device's certificate, and secure connection attempts will fail.

FortiWeb may require you to provide certificates and CRLs even if your websites’ clients do not use HTTPS to connect to the websites.

For example, when sending alert email via SMTP or querying an authentication server via LDAP, FortiWeb will validate the server’s certificate by comparing the server certificate’s CA signature with the certificates of CAs that are known and trusted by the FortiWeb appliance.

To upload a CA’s certificate
  1. Obtain a copy of your CA’s certificate file.
  2. If you are using a commercial CA, your web browser should already contain a copy in its CA trust store. Export a copy of the file to your desktop or other folder.

    If you are using your own private CA, download a copy from your CA’s server. For example, on Windows Server 2003, you would go to:

    HTTPs://<ca-server_ipv4>/certsrv/

    where <ca-server_ipv4> is the IP address of your CA server. Log in as Administrator. Other accounts may not have sufficient privileges. The Microsoft Certificate Services home page for your server’s CA should appear, and you can download a CA certificate, certificate chain, or CRL from there.

    Verify that your private CA’s certificate does not contain its private keys. Disclosure of private keys compromises the security of your network, and will require you to revoke and regenerate all certificates signed by that CA.
  3. Go to Server Objects > Certificates > CA and select the CA tab.
  4. You can click View Certificate Detail to view the selected certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions.

    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.

  5. To upload a certificate, click Import.
  6. To select a certificate, do one of the following:
  • Enable SCEP and in the field to the right of it, type the URL of the applicable Simple Certificate Enrollment Protocol server. (SCEP allows routers and other intermediary network devices to obtain certificates.)

    To specify a specific CA, type an identifier in the field below the URL.

  • Enable Local PC and browse to find a certificate file.
  • Click OK.
  • To use the CA certificate when validating clients’ personal certificates, select it in a CA certificate group, which is then selected in a certificate verification rule. For details, see Grouping trusted CA certificates.
  • To test your configuration, cause your appliance to initiate a secure connection to an LDAPS server. For details, see Grouping remote authentication queries and certificates for administrators.
  • If the query fails, verify that your CA is the same one that signed the LDAP server’s certificate, and that its certificate’s extensions indicate that the certificate can be used to sign other certificates. Verify that both the appliance and LDAP server support the same cipher suites and SSL/TLS protocols. Also verify that your routers and firewalls are configured to allow the connection.

    See also
    To upload a European Union Trusted Service List
    1. Go to Server Objects > Certificates > CA.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    2. Select the TSL CA tab.
    3. Click Import.
    4. Configure these settings:
    5. Name

      Enter a name that can be referenced by other parts of the configuration. You'll use this name to select the TSL in a CA group. The maximum length is 63 characters.

      URL

      Enable to upload a TSL using its distribution URL. If enabled, enter the distribution URL for the TSL in the accompanying text box. The URL must begin with either HTTP:// or HTTPs:// and end with .xml.

      Local PC

      Enable to upload an XML file that contains the TSL. If enabled, click Choose File and select the relevant file on your computer. When you select a file to be uploaded, FortiWeb will check whether the file is valid before you can import the TSL.

    6. Click OK.
      If the upload is successful, FortiWeb will return the message CA Certificate successfully uploaded.
    7. Confirm that the TSL is available so that you can include it in a CA group.

      To do so, click Return to navigate back to the TSL CA tab. The Status column of the TSL will indicate whether you can use the TSL in a CA group:

    • AvailableFortiWeb validated the TSL, and you can use it in a CA group.
    • UnavailableFortiWeb failed to validate the TSL, and you can't select it in a CA group.

    Grouping trusted CA certificates

    CAs must belong to a group in order to be selected either in a certificate verification rule for PKI authentication or a Server Name Indication (SNI) configuration. For details, see Configuring FortiWeb to validate client certificates and Allowing FortiWeb to support multiple server certificates.

    To configure a CA certificate group
    1. Before you can create a CA group, you must upload at least one of the certificate authority (CA) certificates that you want to add to the group. For details, see CA certificates.
    2. Go to Server Objects > Certificates > CA and select the CA Group tab.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    3. Click Create New.
    4. For Name, enter a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
    5. Click OK.
    6. Click Create New.
    7. For ID, FortiWeb automatically assigns the next available index number.
    8. For CA, select the name of a certificate authority’s certificate that you previously uploaded and want to add to the group.
    9. Enable Publish CA Distinguished Name to list only certificates related to the specified CA. This is beneficial when a client installs many certificates in its browser or when apps don't list client certificates. If you enable this option, also enable the option in a certificate validation rule. For details, see To configure a certificate validation rule.
    10. Click OK.
    11. Repeat the previous steps for each CA that you want to add to the group.
    12. To apply a CA group, select it in a certificate verification rule. For details, see Configuring FortiWeb to validate client certificates.
    See also

    CA certificates

    In order for FortiWeb to authenticate client certificates, you must upload trusted CA certificates to FortiWeb.

    Importing CA certificate files locally

    Certificate authorities (CAs) validate and sign others’ certificates. When FortiWeb needs to know whether a client or device’s certificate is genuine, it will examine the CA’s signature, comparing it with the copy of the CA’s certificate that you uploaded to determine if they were both made using the same private key. If they were, the CA’s signature is genuine, and therefore the client or device’s certificate is legitimate.

    If the signing CA is not known, that CA’s own certificate must likewise be signed by one or more other intermediary CAs, until both the FortiWeb appliance and the client or device can demonstrate a signing chain that ultimately leads to a mutually trusted (shared “root”) CA that they have in common. Like a direct signature by a known CA, this proves that the certificate can be trusted. For information on how to include a signing chain, see Uploading a server certificate.

    To use CA certificates in a certificate verification rule for PKI authentication or a Server Name Indication (SNI) configuration, you'll need to create a CA group for the CA certificate(s) that you want to include.

    In addition to uploading CA certificates to include in a CA group, you can also upload European Union (EU) Trust Service Lists (TSL) (HTTPs://ec.europa.eu/digital-single-market/en/eu-trusted-lists-trust-service-providers). A TSL is a list of qualified trust service providers and services. Member states of the EU are obligated to publish lists of qualified trust providers and services that include lists of certificates and CAs for each trusted provider and service. You can upload a TSL in two ways:

    • Upload an XML file of the TSL.
    • Enter the distribution URL of the TSL.

    When you upload a TSL, FortiWeb verifies X.509 certificates that the qualified service providers use to verify trusted services. You'll also need to add each TSL into a CA group. For details, see To upload a European Union Trusted Service List.

    Until you upload at least one CA certificate, FortiWeb can't validate any other client or device's certificate, and secure connection attempts will fail.

    FortiWeb may require you to provide certificates and CRLs even if your websites’ clients do not use HTTPS to connect to the websites.

    For example, when sending alert email via SMTP or querying an authentication server via LDAP, FortiWeb will validate the server’s certificate by comparing the server certificate’s CA signature with the certificates of CAs that are known and trusted by the FortiWeb appliance.

    To upload a CA’s certificate
    1. Obtain a copy of your CA’s certificate file.
    2. If you are using a commercial CA, your web browser should already contain a copy in its CA trust store. Export a copy of the file to your desktop or other folder.

      If you are using your own private CA, download a copy from your CA’s server. For example, on Windows Server 2003, you would go to:

      HTTPs://<ca-server_ipv4>/certsrv/

      where <ca-server_ipv4> is the IP address of your CA server. Log in as Administrator. Other accounts may not have sufficient privileges. The Microsoft Certificate Services home page for your server’s CA should appear, and you can download a CA certificate, certificate chain, or CRL from there.

      Verify that your private CA’s certificate does not contain its private keys. Disclosure of private keys compromises the security of your network, and will require you to revoke and regenerate all certificates signed by that CA.
    3. Go to Server Objects > Certificates > CA and select the CA tab.
    4. You can click View Certificate Detail to view the selected certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions.

      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.

    5. To upload a certificate, click Import.
    6. To select a certificate, do one of the following:
    • Enable SCEP and in the field to the right of it, type the URL of the applicable Simple Certificate Enrollment Protocol server. (SCEP allows routers and other intermediary network devices to obtain certificates.)

      To specify a specific CA, type an identifier in the field below the URL.

    • Enable Local PC and browse to find a certificate file.
  • Click OK.
  • To use the CA certificate when validating clients’ personal certificates, select it in a CA certificate group, which is then selected in a certificate verification rule. For details, see Grouping trusted CA certificates.
  • To test your configuration, cause your appliance to initiate a secure connection to an LDAPS server. For details, see Grouping remote authentication queries and certificates for administrators.
  • If the query fails, verify that your CA is the same one that signed the LDAP server’s certificate, and that its certificate’s extensions indicate that the certificate can be used to sign other certificates. Verify that both the appliance and LDAP server support the same cipher suites and SSL/TLS protocols. Also verify that your routers and firewalls are configured to allow the connection.

    See also
    To upload a European Union Trusted Service List
    1. Go to Server Objects > Certificates > CA.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    2. Select the TSL CA tab.
    3. Click Import.
    4. Configure these settings:
    5. Name

      Enter a name that can be referenced by other parts of the configuration. You'll use this name to select the TSL in a CA group. The maximum length is 63 characters.

      URL

      Enable to upload a TSL using its distribution URL. If enabled, enter the distribution URL for the TSL in the accompanying text box. The URL must begin with either HTTP:// or HTTPs:// and end with .xml.

      Local PC

      Enable to upload an XML file that contains the TSL. If enabled, click Choose File and select the relevant file on your computer. When you select a file to be uploaded, FortiWeb will check whether the file is valid before you can import the TSL.

    6. Click OK.
      If the upload is successful, FortiWeb will return the message CA Certificate successfully uploaded.
    7. Confirm that the TSL is available so that you can include it in a CA group.

      To do so, click Return to navigate back to the TSL CA tab. The Status column of the TSL will indicate whether you can use the TSL in a CA group:

    • AvailableFortiWeb validated the TSL, and you can use it in a CA group.
    • UnavailableFortiWeb failed to validate the TSL, and you can't select it in a CA group.

    Grouping trusted CA certificates

    CAs must belong to a group in order to be selected either in a certificate verification rule for PKI authentication or a Server Name Indication (SNI) configuration. For details, see Configuring FortiWeb to validate client certificates and Allowing FortiWeb to support multiple server certificates.

    To configure a CA certificate group
    1. Before you can create a CA group, you must upload at least one of the certificate authority (CA) certificates that you want to add to the group. For details, see CA certificates.
    2. Go to Server Objects > Certificates > CA and select the CA Group tab.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    3. Click Create New.
    4. For Name, enter a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
    5. Click OK.
    6. Click Create New.
    7. For ID, FortiWeb automatically assigns the next available index number.
    8. For CA, select the name of a certificate authority’s certificate that you previously uploaded and want to add to the group.
    9. Enable Publish CA Distinguished Name to list only certificates related to the specified CA. This is beneficial when a client installs many certificates in its browser or when apps don't list client certificates. If you enable this option, also enable the option in a certificate validation rule. For details, see To configure a certificate validation rule.
    10. Click OK.
    11. Repeat the previous steps for each CA that you want to add to the group.
    12. To apply a CA group, select it in a certificate verification rule. For details, see Configuring FortiWeb to validate client certificates.
    See also