Fortinet 5.0 Patch 6 Uploading trusted CAs certificates

Fortinet 280 FortiWeb 5.0 Patch 6 Administration Guide

Generally speaking, for security reasons, TLS 1.1, AES-256 or ECC, and SHA-1 are preferable.,

although you may not be able to use them for client compatibility reasons. Avoid using:

• SSL 2.0

• TLS 1.0

• Older hash algorithms, such as MD5. (On modern computers, these can be cracked quickly.)

• Ciphers with known vulnerabilities, such as some implementations of RC4, AES and DES

(e.g. To protect clients with incorrect CBC implementations for AES and DES, configure

Prioritize RC4 Cipher Suite.)

• Encryption bit strengths less than 128

• Older styles of renegotiation (These are vulnerable to man-in-the-middle (MITM) attacks.)

• Client-initiated renegotiation (Configure Disable Client-Initiated SSL Renegotiation.)

See also

•Offloading vs. inspection

•How to offload or inspect HTTPS

Uploading trusted CAs’ certificates

In order to authenticate other devices’ certificates, FortiWeb has a store of trusted CAs’

certificates. Until you upload at least one CA certificate, FortiWeb does not know and trust

any CAs, it cannot validate any other client or device’s certificate, and all of those secure

connections will fail.

Certificate authorities (CAs) validate and sign others’ certificates. When FortiWeb needs to know

whether a client or device’s certificate is genuine, it will examine the CA’s signature, comparing

it with the copy of the CA’s certificate that you have uploaded in order to determine if they were

both made using the same private key. If they were, the CA’s signature is genuine, and therefore

the client or device’s certificate is legitimate.

If the signing CA is not known, that CA’s own certificate must likewise be signed by one or more

other intermediary CAs, until both the FortiWeb appliance and the client or device can

demonstrate a signing chain that ultimately leads to a mutually trusted (shared “root”) CA that

they have in common. Like a direct signature by a known CA, this proves that the certificate can

be trusted. For information on how to include a signing chain, see “How to offload or inspect

HTTPS” on page 283“Uploading a server certificate” on page 289.

FortiWeb may require you to provide certificates and CRLs even if your web sites’ clients do not

use HTTPS to connect to the web sites.

For example, when sending alert email via SMTPS or querying an authentication server via

LDAPS, FortiWeb will validate the server’s certificate by comparing the server certificate’s CA

signature with the certificates of CAs that are known and trusted by the FortiWeb appliance.