Fortinet 289 FortiWeb 5.0 Patch 6 Administration Guide
Uploading a server certificateYou can import (upload) either:
• Base64-encoded
• PKCS #12 RSA-encrypted
X.509 server certificates and private keys to the FortiWeb appliance.
If a server certificate is signed by an intermediate certificate authority (CA) rather than a root CA,
before clients will trust the server certificate, you must demonstrate a link with root CAs that the
clients trust, thereby proving that the server certificate is genuine. You can demonstrate this
chain of trust either by:
• Appending a signing chain in the server certificate.
• Uploading and configuring a signing chain separately (see “Supplementing a server
certificate with its signing chain” on page 291).
• Installing each intermediary CA’s certificate in clients’ trust store (list of trusted CAs).
Which method is best for you often depends on whether you have a convenient method for
deploying CA certificates to clients, such as you may be able to for clients in an internal
Microsoft Active Directory domain, and whether you often refresh the server certificate.
To append a signing chain in the certificate itself, before uploading the server certificate
to the FortiWeb appliance
1. Open the certificate file in a plain text editor.
2. Append the certificate of each intermediary CA in order from the intermediary CA who
signed the local certificate to the intermediary CA whose certificate was signed directly by a
trusted root CA.
For example, a server’s certificate that includes a signing chain might use the following
structure:
-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<certificate of intermediate CA 1, who signed the server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<certificate of intermediate CA 2, who signed the certificate of
intermediate CA 1 and whose certificate was signed by a trusted root
CA>
-----END CERTIFICATE-----
3. Save the certificate.
DSA-encrypted certificates are not supported if the FortiWeb appliance is operating in a mode
other than reverse proxy. See “Supported features in each operation mode” on page 62.