Fortinet 316 FortiWeb 5.0 Patch 6 Administration Guide
Configuring FortiWeb to validate client certificates
To be valid, a client certificate must:
not be expired or not yet valid
• not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate
status protocol (OCSP)
be signed by a certificate authority (CA) whose certificate you have imported into the
FortiWeb appliance (see “Uploading trusted CAs’ certificates” on page 280);
•contain a CA field whose value matches a CA’s certificate
•contain an Issuer field whose value matches the Subject field in a CA’s certificate
If the client presents an invalid certificate during PKI authentication for HTTPS, the FortiWeb
appliance will not allow the connection.
Certificate validation rules (in the web UI, these are called certificate verification rules) tell
FortiWeb which set of CA certificates to use when validating personal certificates. They also
specify a CRL and/or OCSP server, if any, if the client’s certificate must be checked for
revocation.
To configure a certificate validation rule
1. Before you can configure a certificate validation rule, you must first configure a CA group
(see “Grouping trusted CAs’ certificates” on page 282). You may also need to configure:
OCSP (see “Revoking certificates by OCSP query” on page 319)
upload a CRL file (see “Revoking certificates” on page 318)
if you need to explicitly revoke some invalid or compromised certificates.
2. Go to System > Certificates > Certificate Verify.
To access this part of the web UI, your administrator's account access profile must have
Read and Write permission to items in the Admin Users category. For details, see
“Permissions” on page 47.
3. Click Create New.
A dialog appears.
4. Configure these settings:
Setting name Description
Name Type a name that can be referenced in other parts of the
configuration. Do not use spaces or special characters. The
maximum length is 35 characters.
CA Group Select the name of an existing CA group that you want to use to
authenticate client certificates. See “Grouping trusted CAs’
certificates” on page 282.