Fortinet 296 FortiWeb 5.0 Patch 6 Administration Guide
generated from it is also guaranteed to come only from that client. The client will sign a
certificate with its matching public key.
Because certificate authorities (CA) sign applicants’ certificates, third parties who have that
CA’s certificate can also confirm that that CA certified the applicant’s identity, and the
certificate was not forged.
Chain of trust — What if a device does not know the CA that signed the connecting party’s
certificate? Since there are many CAs, this is a common scenario.
The solution is to have a root CA in common between the two connecting parties, a “friend
of a friend.”
If a root CA is trusted to be genuine and to sign only certificates where it has verified the
applicant’s identity, then by induction, all sub-CA’s certificates that the root CA has verifiably
signed will also be trusted as genuine. Hence, if a client or server’s certificate can prove that
it is either indirectly (through an intermediary CA signed by the root CA) or directly signed by
the trusted root CA, that client/server’s certificate will be trusted as genuine.
To configure client PKI authentication
1. Obtain a personal certificate for the client, and its private key, from a CA.
Steps vary by the CA. Personal certificates can be purchased or downloaded from either
commercial CAs such as VeriSign, Thawte, or Comodo, or your organization’s own private
CA, such as a Linux server where you use OpenSSL or a Mac OS X server where you have
set up a CA in Keychain Access. For information on certificate requirements such as
extended attributes, see “Configuring FortiWeb to validate client certificates” on page 316.
For a private CA example, see “Example: Generating & downloading a personal certificate
from Microsoft Windows 2003 Server” on page 297.
2. Download the CA’s certificate, which contains its public key and therefore can verify any
personal certificate that the CA has signed.
Steps vary by the CA.
For a private CA example, see “Example: Downloading the CA’s certificate from
Microsoft Windows 2003 Server” on page 306.
If you purchased personal certificates from CAs such as VeriSign, Thawte, or Comodo, you
should not need to download the certificate: simply export those CAs’ certificates from your
browser’s own trust store, similar to “To export and transmit a personal certificate from the
trust store on Microsoft Windows 7” on page 299, then upload them to the FortiWeb (see
“Uploading trusted CAs’ certificates” on page 280).
3. Install the personal certificate with its private key on the client.
Steps vary by the client’s operating system and web browser. If the client uses Microsoft
Windows 7, see “Example: Importing the personal certificate & private key to a client’s
trust store on Microsoft Windows 7” on page 307.
4. Upload the CA’s certificate to the FortiWeb’s trust store (see “Uploading the CA’s certificate
to FortiWeb’s trusted CA store” on page 315).
5. If you have a certificate revocation list or OCSP server, configure FortiWeb with it (see
“Revoking certificates” on page 318).
6. Depending on the FortiWeb’s current operation mode, configure either a server policy or
server farm to consider CA certificates and CRLs when verifying client certificates (see
“Configuring FortiWeb to validate client certificates” on page 316).
7. Configure the server policy to accept HTTPS (see HTTPS Service).