system certificate ocsp-responder

Use this command to configure the OCSP Responder.

In SSL/TLS connections between the clients (like browsers or apps) and FortiWeb, clients by default check the server certificate presented by FortiWeb, verifying it against a trusted CA store, and ensure it is not revoked or expired.

For high-security scenarios it's essential to validate identity of the clients as well. A common use case for client certificates is in online banking systems, where a bank may issue customers a hardware device, like a smart card or USB token, storing a digital certificate. To access the banking system, the customer connects the device to their computer and configures their browser to use the stored certificate for identity verification.

To maintain security, FortiWeb must verify the client certificate's status (whether they are valid, revoked, or expired) to block access attempts with a invalid client certificate. FortiWeb supports the following two methods of client certificate revocation check:

• CRL file-based verification: A Certificate Revocation List (CRL) that is stored locally on FortiWeb. It is a file containing a list of revoked certificates.

• OCSP checks: Real-time checks with the OCSP (Online Certificate Status Protocol) Responder, which provides the current revocation status of client certificates. Configuration details for this method are introduced in the following section.

The OCSP Responder configuration in FortiWeb involves two steps:

• Import an OCSP signing certificate.
• Configure OCSP Responder information for FortiWeb to request client certificate status from the specified OCSP URL.

Syntax

config system certificate ocsp-responder

edit <name>

set ocsp-url <string>

set ocsp-signing-certs-grp <datasource>

set timeout <integer>

set caching {enable | disable}

set caching-ttl <integer>

set comment <string>

next

end

Variable	Description	Default
<name>	Enter a name for the OCSP Responder. The maximum length is 63 characters.	No default
ocsp-url <string>	Enter the URL of the OCSP Responder.	No default
ocsp-signing-certs-grp <datasource>	Select the OCSP signing certificate group you have created.	No default
timeout <integer>	Specify the timeout of the OCSP query. The valid range is 1 to 30 seconds.	2
caching {enable | disable}	Enable to cache the OCSP responses for a defined period (set by the Caching TTL). FortiWeb can quickly retrieve the validation status from the cache rather than querying the OCSP responder every time.	disable
caching-ttl <integer>	Caching TTL (Time to Live) is the duration for which the "This Update" timestamp in the OCSP response is considered valid. It’s important to note that the "This Update" timestamp does not indicate the exact time when FortiWeb first requests the OCSP responder to validate a specific client certificate. Instead, it reflects the time of the OCSP responder's last periodic check of the certificate's status. For example, if the OCSP responder last checked the client certificate status at 13:30, the "This Update" timestamp will show 13:30, even if FortiWeb requests validation of the client certificate for the first time at 14:00. This design allows FortiWeb to use the OCSP responder’s most recent validation result, improving efficiency by avoiding unnecessary revalidation while ensuring timely, accurate certificate status checks. The valid range is 1800 to 604800 seconds. This option is available only when Caching is enabled.	3600
comment <string>	Optionally, enter a description of the OCSP Responder. The maximum length is 199 characters.	No default

Related topics:

• system certificate ocsp-stapling

• system certificate ocsp-signing-certs

• system certificate ocsp-signing-certs-group