Fortinet black logo

Administration Guide

Seamless PKI integration

Seamless PKI integration

Seamless PKI integration allows you to configure FortiWeb to verify client certificates and resign a new certificate that is sent to the server for client requests. You can configure a PKI environment in FortiWeb without changing the network or application.

This feature is used for servers that authenticate users' priorities according to each user's client certificate. When seamless PKI integration is configured, FortiWeb attempts to verify client certificates when users make requests. If FortiWeb successfully verifies the client certificate, it uses the client certificate's subject name and extensions to create a client certificate proxy and resign a new certificate that it then uses to connect to the server. If FortiWeb cannot successfully verify the client certificate, the connection will be closed and an attack log will be generated.

Seamless PKI integration is available when FortiWeb is in Reverse Proxy and True Transparent Proxy mode.

tooltip icon

For the client certificate proxy process to work, Certificate Verification or Enable Server name Indication (SNI) needs to be configured in a server policy. For details, see Configuring a server policy.

When Client Certificate Proxy is enabled in a server pool rule, if a Client Certificate has also been selected, the Client Certificate will not be used and the Client Certificate Proxy will take effect instead.

To configure seamless PKI integration in Reverse Proxy Mode
  1. Go to Server Objects > Certificates > Sign CA.
    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.
  2. For Type, select one of the following:
  3. PKCS12 Certificate

    Upload a Certificate with key file and enter the Password

    Certificate

    Upload a Certificate File, Key File, and enter the Password.

  4. Click OK.
  5. Go to Server Objects > Server > Server Pool.
    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
  6. Modify an existing server pool or create a new one.
    To modify an existing server pool, select it and click Edit.
    To create a new server pool, click Create New.
  7. Enter a Name for the server pool. You will use this name to select the pool in other parts of the configuration. The maximum length is 63 characters.
  8. Select Reverse Proxy for the Type.
  9. If you select Server Balance for Single Server/Server Balance, see Configure these settings: for configuration instructions.
  10. Click OK.
  11. Modify an existing server pool rule or create a one new.
    To modify an existing server pool rule, select it and click Edit.
    Note: You will have to enable SSL if it is not already configured.
    To create a new server pool rule, click Create New.
  12. Enable SSL.
  13. Enable Client Certificate Proxy.
  14. For Client Certificate Proxy Sign CA, select the Sign CA you uploaded in For Type, select one of the following:.
  15. When you are finished configuring the rule, click OK.
  16. Go to Policy > Server Policy.
    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
  17. Modify an existing server policy or create a new one.
    To modify an existing server policy, select it and click Edit.
    Note: You will have to select a value for the HTTPS Service if it is not already configured.
    To create a new server policy, click Create New.
  18. Configure either:
  19. Certificate Verification

    Select the name of a certificate verifier that FortiWeb will use to validate an HTTP client’s personal certificate.

    Enable Server Name Indication (SNI)

    Enable this option and configure these settings:

    • Enable Strict SNI—Optionally, enable so that FortiWeb will ignore the Certificate when it determines which certificate to present on behalf of server pool members.
    • SNI Policy—Select the Server Name Indication (SNI) configuration that determines which certificate FortiWeb presents on behalf of the members of the server pool.

    Note: You cannot enable both Certificate Verification and Enable Server Name Indication (SNI).

  20. For Server Pool, select the server pool that you modified or created in Modify an existing server pool rule or create a one new.To modify an existing server pool rule, select it and click Edit.Note: You will have to enable SSL if it is not already configured.To create a new server pool rule, click Create New..
  21. Click OK.
To configure seamless PKI integration in True Transparent Proxy mode
  1. Go to Server Objects > Certificates > Sign CA.
  2. To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

  3. For Type, select either:
  4. PKCS12 Certificate

    Upload a Certificate with key file and enter the Password

    Certificate

    Upload a Certificate File, Key File, and enter the Password.

  5. Click OK.
  6. Go to Server Objects > Server > Server Pool.
    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
  7. Modify an existing server pool or create a new one.
    To modify an existing server pool, select it and click Edit.
    To create a new server pool, click Create New.
  8. Enter a Name for the server pool. You will use this name to select the pool in other parts of the configuration. The maximum length is 63 characters.
  9. Select True Transparent Proxy for the Type.
  10. Click OK.
  11. Modify an existing server pool rule or create a one new.
    To modify an existing server pool rule, select it and click Edit.
    Note: You will have to enable SSL if it is not already configured.
    To create a new server pool rule, click Create New.
  12. Enable SSL.
  13. Click Show advanced SSL settings.
  14. Enable Client Certificate Proxy.
  15. For Client Certificate Proxy Sign CA, select the Sign CA you uploaded in For Type, select either:.
  16. Configure either:
  17. Certificate Verification

    Select the name of a certificate verifier that FortiWeb will use to validate an HTTP client’s personal certificate.

    Enable Server Name Indication (SNI)

    Enable this option and configure these settings:

    • Enable Strict SNI—Optionally, enable so that FortiWeb will ignore the Certificate when it determines which certificate to present on behalf of server pool members.
    • SNI Policy—Select the Server Name Indication (SNI) configuration that determines which certificate FortiWeb presents on behalf of the members of the server pool.

    Note: You cannot enable both Certificate Verification and Enable Server Name Indication (SNI).

  18. Go to Policy > Server Policy.
    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
  19. Modify an existing server policy or create a new one.
  20. For Server Pool, select the server pool that you modified or created in Modify an existing server pool rule or create a one new.To modify an existing server pool rule, select it and click Edit.Note: You will have to enable SSL if it is not already configured.To create a new server pool rule, click Create New..
    To modify an existing server policy, select it and click Edit.
    To create a new server policy, click Create New.
  21. Click OK.
See also

Seamless PKI integration

Seamless PKI integration allows you to configure FortiWeb to verify client certificates and resign a new certificate that is sent to the server for client requests. You can configure a PKI environment in FortiWeb without changing the network or application.

This feature is used for servers that authenticate users' priorities according to each user's client certificate. When seamless PKI integration is configured, FortiWeb attempts to verify client certificates when users make requests. If FortiWeb successfully verifies the client certificate, it uses the client certificate's subject name and extensions to create a client certificate proxy and resign a new certificate that it then uses to connect to the server. If FortiWeb cannot successfully verify the client certificate, the connection will be closed and an attack log will be generated.

Seamless PKI integration is available when FortiWeb is in Reverse Proxy and True Transparent Proxy mode.

tooltip icon

For the client certificate proxy process to work, Certificate Verification or Enable Server name Indication (SNI) needs to be configured in a server policy. For details, see Configuring a server policy.

When Client Certificate Proxy is enabled in a server pool rule, if a Client Certificate has also been selected, the Client Certificate will not be used and the Client Certificate Proxy will take effect instead.

To configure seamless PKI integration in Reverse Proxy Mode
  1. Go to Server Objects > Certificates > Sign CA.
    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.
  2. For Type, select one of the following:
  3. PKCS12 Certificate

    Upload a Certificate with key file and enter the Password

    Certificate

    Upload a Certificate File, Key File, and enter the Password.

  4. Click OK.
  5. Go to Server Objects > Server > Server Pool.
    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
  6. Modify an existing server pool or create a new one.
    To modify an existing server pool, select it and click Edit.
    To create a new server pool, click Create New.
  7. Enter a Name for the server pool. You will use this name to select the pool in other parts of the configuration. The maximum length is 63 characters.
  8. Select Reverse Proxy for the Type.
  9. If you select Server Balance for Single Server/Server Balance, see Configure these settings: for configuration instructions.
  10. Click OK.
  11. Modify an existing server pool rule or create a one new.
    To modify an existing server pool rule, select it and click Edit.
    Note: You will have to enable SSL if it is not already configured.
    To create a new server pool rule, click Create New.
  12. Enable SSL.
  13. Enable Client Certificate Proxy.
  14. For Client Certificate Proxy Sign CA, select the Sign CA you uploaded in For Type, select one of the following:.
  15. When you are finished configuring the rule, click OK.
  16. Go to Policy > Server Policy.
    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
  17. Modify an existing server policy or create a new one.
    To modify an existing server policy, select it and click Edit.
    Note: You will have to select a value for the HTTPS Service if it is not already configured.
    To create a new server policy, click Create New.
  18. Configure either:
  19. Certificate Verification

    Select the name of a certificate verifier that FortiWeb will use to validate an HTTP client’s personal certificate.

    Enable Server Name Indication (SNI)

    Enable this option and configure these settings:

    • Enable Strict SNI—Optionally, enable so that FortiWeb will ignore the Certificate when it determines which certificate to present on behalf of server pool members.
    • SNI Policy—Select the Server Name Indication (SNI) configuration that determines which certificate FortiWeb presents on behalf of the members of the server pool.

    Note: You cannot enable both Certificate Verification and Enable Server Name Indication (SNI).

  20. For Server Pool, select the server pool that you modified or created in Modify an existing server pool rule or create a one new.To modify an existing server pool rule, select it and click Edit.Note: You will have to enable SSL if it is not already configured.To create a new server pool rule, click Create New..
  21. Click OK.
To configure seamless PKI integration in True Transparent Proxy mode
  1. Go to Server Objects > Certificates > Sign CA.
  2. To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

  3. For Type, select either:
  4. PKCS12 Certificate

    Upload a Certificate with key file and enter the Password

    Certificate

    Upload a Certificate File, Key File, and enter the Password.

  5. Click OK.
  6. Go to Server Objects > Server > Server Pool.
    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
  7. Modify an existing server pool or create a new one.
    To modify an existing server pool, select it and click Edit.
    To create a new server pool, click Create New.
  8. Enter a Name for the server pool. You will use this name to select the pool in other parts of the configuration. The maximum length is 63 characters.
  9. Select True Transparent Proxy for the Type.
  10. Click OK.
  11. Modify an existing server pool rule or create a one new.
    To modify an existing server pool rule, select it and click Edit.
    Note: You will have to enable SSL if it is not already configured.
    To create a new server pool rule, click Create New.
  12. Enable SSL.
  13. Click Show advanced SSL settings.
  14. Enable Client Certificate Proxy.
  15. For Client Certificate Proxy Sign CA, select the Sign CA you uploaded in For Type, select either:.
  16. Configure either:
  17. Certificate Verification

    Select the name of a certificate verifier that FortiWeb will use to validate an HTTP client’s personal certificate.

    Enable Server Name Indication (SNI)

    Enable this option and configure these settings:

    • Enable Strict SNI—Optionally, enable so that FortiWeb will ignore the Certificate when it determines which certificate to present on behalf of server pool members.
    • SNI Policy—Select the Server Name Indication (SNI) configuration that determines which certificate FortiWeb presents on behalf of the members of the server pool.

    Note: You cannot enable both Certificate Verification and Enable Server Name Indication (SNI).

  18. Go to Policy > Server Policy.
    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
  19. Modify an existing server policy or create a new one.
  20. For Server Pool, select the server pool that you modified or created in Modify an existing server pool rule or create a one new.To modify an existing server pool rule, select it and click Edit.Note: You will have to enable SSL if it is not already configured.To create a new server pool rule, click Create New..
    To modify an existing server policy, select it and click Edit.
    To create a new server policy, click Create New.
  21. Click OK.
See also