Fortinet 293 FortiWeb 5.0 Patch 6 Administration Guide
See also
•Supplementing a server certificate with its signing chain
•How operation mode affects server policy behavior
How to apply PKI client authentication (personal certificates)If your clients will connect to your web sites using HTTPS, you can configure FortiWeb to
require clients to present a personal certificate during the handshake in order to confirm their
identities. This is sometimes called public key infrastructure (PKI) authentication (RFC 5280).
Because FortiWeb presents its own server certificate to the client before requesting one from
the client, all PKI authentication with FortiWeb is actually mutual (2-way) authentication.
PKI authentication is an alternative to traditional password-based authentication. The traditional
method is based on “what you know” — a password used for authentication. PKI authentication
is based on “what you have” — a private key related to the certificate bound to only one person.
PKI authentication may be preferable for devices where it is onerous for the person to type a
password, such as an Android or iPhone smart phone.
A known weakness of traditional password based authentication is the vulnerability to
password guessing or brute force attack. Despite your admonitions, many users will still choose
weak passwords either because they do not understand what makes a password “strong,”
because they do not understand the risks that it poses to the organization, or because they
cannot remember a randomized password.
PKI authentication is far more resilient to brute force attacks, and does not require end-users to
remember anything, so it is stronger than a password.
In addition to FortiWeb verifying client certificates, you can configure FortiWeb to forward client
certificates to the back-end server, whether for additional verification or identity-based
functionality. SeeClient Certificate Forwarding in “Configuring a server policy” on page 483.
For even stronger authentication, you can combine PKI authentication with HTTP or
form-based authentication. For more information, see “Authentication styles” on page 221.