Fortinet 285 FortiWeb 5.0 Patch 6 Administration Guide
Although they do not present a certificate during SSL/TLS inspection, FortiWeb still requires
server certificates in order to decrypt and scan HTTPS connections travelling through it (SSL
inspection) if operating in any mode except reverse proxy. Otherwise, FortiWeb will not be able
to scan the traffic, and will not be able to protect that web server.
If you want clients to be able to use HTTPS with your web site, but your web site does not
already have a server certificate to represent its authenticity, you must first generate a certificate
signing request (see “Generating a certificate signing request” on page 285). Otherwise, start
with “Uploading a server certificate” on page 289.
See also
•Global web UI & CLI settings
•How operation mode affects server policy behavior
•Grouping your web servers into server farms
•Generating a certificate signing request
•Uploading a server certificate
•Revoking certificates by OCSP query
•Offloading vs. inspection
•Supported cipher suites & protocol versions
•Uploading trusted CAs’ certificates
Generating a certificate signing request Many commercial certificate authorities (CAs) will provide a web site where you can generate
your own certificate signing request (CSR). A CSR is an unsigned certificate file that the CA will
sign. When the CSR is generated, the associated private key that the appliance will use to sign
and/or encrypt connections with clients is also generated.
If your CA does not provide this, or if you have your own private CA such as a Linux server with
OpenSSL, you can use the appliance generate a CSR and private key. This CSR can then be
submitted for verification and signing by the CA.
To generate a certificate request
1. Go to System > Certificates > Local.
To access this part of the web UI, your administrator's account access profile must have
Read and Write permission to items in the Admin Users category. For details, see
“Permissions” on page 47.
2. Click Generate.
A dialog appears.