Fortinet 261 FortiWeb 5.0 Patch 6 Administration Guide
Certificate
Verification
Select the name of a certificate verifier, if any, to use when an HTTP
client presents their personal certificate. (If you do not select one, the
client is not required to present a personal certificate. See also “How
to apply PKI client authentication (personal certificates)” on
page 293.)
Personal certificates, sometimes also called user certificates,
establish the identity of the person connecting to the web site.
You can require that clients present a certificate alternatively or in
addition to HTTP authentication (see “Offloading HTTP authentication
& authorization” on page 225).
This option is available only if SSL is enabled, and only applies if the
FortiWeb appliance is operating in transparent proxy mode. (For
reverse proxy mode, configure this setting in the server policy
instead. See Certificate Verification in “Configuring a server policy” on
page 483.)
Note: The client must support SSL 3.0 or TLS 1.0.
Client Certificate
Forwarding
Enable to include the X.509 personal certificate presented by the
client during the SSL/TLS handshake, if any, in an X-Client-Cert:
HTTP header when forwarding the traffic to the protected web server.
FortiWeb will still validate the client certificate itself, but this can be
useful if the web server requires the client certificate for the purpose
of server-side identity-based functionality.
This option is available only if SSL is enabled, and only applies if the
FortiWeb appliance is operating in transparent proxy mode. (For
reverse proxy mode, configure this setting in the server policy
instead. See Client Certificate Forwarding in “Configuring a server
policy” on page 483.)
Certificate
Intermediate
Group
Select the name of a group of intermediate certificate authority (CA)
certificates, if any, that will be presented to clients in order to
complete the signing chain for them to validate the server certificate’s
CA signature.
If clients receive certificate warnings that the server certificate
configured in Certificate File has been signed by an intermediary CA,
rather than directly by a root CA or other CA currently trusted by the
client, configure this option.
Alternatively, include the entire signing chain in the server certificate
itself before uploading it to the FortiWeb appliance, thereby
completing the chain of trust with a CA already known to the client.
See “Uploading a server certificate” on page 289 and
“Supplementing a server certificate with its signing chain” on
page 291.
This option is available only if SSL is enabled, and only applies if the
FortiWeb appliance is operating in transparent proxy mode. (For
reverse proxy mode, configure this setting in the server policy
instead. See Certificate Intermediate Group in “Configuring a server
policy” on page 483.)
Setting name Description