Fortinet 317 FortiWeb 5.0 Patch 6 Administration Guide
5. Click OK.
6. To apply a certificate verification rule, select it in Certificate Verification in a server policy or
server farm that includes HTTPS service. For details, see “Configuring a server policy” on
page 483 or “Grouping your web servers into server farms” on page 256.
When a client connects to the web site, after FortiWeb presents its own server certificate, it
will request one from the client.The web browser should display a prompt, allowing the
person to indicate which personal certificate he or she wants to present.
Figure 42:A personal certificate prompt in Microsoft Internet Explorer 9
OCSP Select the name of an existing online certificate status protocol
(OCSP) certificate, if any, that you want to use to verify the
revocation status of client certificates. See “Revoking
certificates by OCSP query” on page 319.
CRL Select the name of an existing certificate revocation list, if any,
to use to verify the revocation status of client certificates. See
“Revoking certificates” on page 318.
Setting name Description
If the connection fails when you have selected a certificate verifier, verify that the certificate
meets the web browser’s requirements. Web browsers may have their own certificate validation
requirements in addition to FortiWeb's requirements. For example, personal certificates for
client authentication may be required to either:
• not be restricted in usage/purpose by the CA, or
•contain a Key Usage field that contains a Digital Signature or have a
ExtendedKeyUsage or EnhancedKeyUsage field whose value contains
Client Authentication
If the certificate does not satisfy browser requirements, although it may be installed in the
client’s store, when the FortiWeb appliance requests the client’s certificate, the browser may
not present a certificate selection dialog to the user, or the dialog may not contain that
certificate. In that case, verification will fail.
For browser requirements, see your web browser’s documentation.