Fortinet 5.0 Patch 6

Fortinet 296 FortiWeb 5.0 Patch 6 Administration Guide

generated from it is also guaranteed to come only from that client. The client will sign a

certificate with its matching public key.

Because certificate authorities (CA) sign applicants’ certificates, third parties who have that

CA’s certificate can also confirm that that CA certified the applicant’s identity, and the

certificate was not forged.

•Chain of trust — What if a device does not know the CA that signed the connecting party’s

certificate? Since there are many CAs, this is a common scenario.

The solution is to have a root CA in common between the two connecting parties, a “friend

of a friend.”

If a root CA is trusted to be genuine and to sign only certificates where it has verified the

applicant’s identity, then by induction, all sub-CA’s certificates that the root CA has verifiably

signed will also be trusted as genuine. Hence, if a client or server’s certificate can prove that

it is either indirectly (through an intermediary CA signed by the root CA) or directly signed by

the trusted root CA, that client/server’s certificate will be trusted as genuine.

To configure client PKI authentication

1. Obtain a personal certificate for the client, and its private key, from a CA.

Steps vary by the CA. Personal certificates can be purchased or downloaded from either

commercial CAs such as VeriSign, Thawte, or Comodo, or your organization’s own private

CA, such as a Linux server where you use OpenSSL or a Mac OS X server where you have

set up a CA in Keychain Access. For information on certificate requirements such as

extended attributes, see “Configuring FortiWeb to validate client certificates” on page 316.

For a private CA example, see “Example: Generating & downloading a personal certificate

from Microsoft Windows 2003 Server” on page 297.

2. Download the CA’s certificate, which contains its public key and therefore can verify any

personal certificate that the CA has signed.

Steps vary by the CA.

For a private CA example, see “Example: Downloading the CA’s certificate from

Microsoft Windows 2003 Server” on page 306.

If you purchased personal certificates from CAs such as VeriSign, Thawte, or Comodo, you

should not need to download the certificate: simply export those CAs’ certificates from your

browser’s own trust store, similar to “To export and transmit a personal certificate from the

trust store on Microsoft Windows 7” on page 299, then upload them to the FortiWeb (see

“Uploading trusted CAs’ certificates” on page 280).

3. Install the personal certificate with its private key on the client.

Steps vary by the client’s operating system and web browser. If the client uses Microsoft

Windows 7, see “Example: Importing the personal certificate & private key to a client’s

trust store on Microsoft Windows 7” on page 307.

4. Upload the CA’s certificate to the FortiWeb’s trust store (see “Uploading the CA’s certificate

to FortiWeb’s trusted CA store” on page 315).

5. If you have a certificate revocation list or OCSP server, configure FortiWeb with it (see

“Revoking certificates” on page 318).

6. Depending on the FortiWeb’s current operation mode, configure either a server policy or

server farm to consider CA certificates and CRLs when verifying client certificates (see

“Configuring FortiWeb to validate client certificates” on page 316).

7. Configure the server policy to accept HTTPS (see HTTPS Service).