Fortinet 318 FortiWeb 5.0 Patch 6 Administration Guide
When a PKI authentication attempt fails, if you have enabled logging, attack log messages
will be recorded. Messages vary by the cause of the error. Common messages are:
X509 Error 20 - Issuer certificate could not be found (FortiWeb does not
have the certificate of the CA that signed the personal certificate, and therefore cannot verify
the personal certificate; see “Uploading trusted CAs’ certificates” on page 280)
X509 Error 52 - Get client certificate failed (the client did not present its
personal certificate to FortiWeb, which could be caused by the client not having its personal
certificate properly installed; see “How to apply PKI client authentication (personal
certificates)” on page 293)
X509 Error 53 - Protocol error (various causes, but could be due to the client and
FortiWeb having no mutually understood cipher suite or protocol version during the SSL/TLS
handshake)
For more logs, see the FortiWeb Log Reference.
See also
•How to apply PKI client authentication (personal certificates)
•Configuring a server policy
•How to offload or inspect HTTPS
•Uploading trusted CAs’ certificates
•Revoking certificates by OCSP query
•Revoking certificates
Revoking certificatesTo ensure that your FortiWeb appliance validates only certificates that have not been revoked,
you should periodically upload a current certificate revocation list (CRL), which may be provided
by certificate authorities (CA).
To view or upload a CRL file
1. Go to System > Certificates > CRL.
To access this part of the web UI, your administrator's account access profile must have
Read and Write permission to items in the Admin Users category. For details, see
“Permissions” on page 47.
2. To upload a CRL file, click Import.
A dialog appears.
Alternatively, you can use HTTP or online certificate status protocol (OCSP) to query for
certificate status. For more information, see “Revoking certificates by OCSP query” on
page 319.