Fortinet 493 FortiWeb 5.0 Patch 6 Administration Guide
Certificate
Verification
Select the name of a certificate verifier, if any, to use when an HTTP
client presents its personal certificate. (If you do not select one, the
client is not required to present a personal certificate. See also “How
to apply PKI client authentication (personal certificates)” on
page 293.)
Personal certificates, sometimes also called user certificates,
establish the identity of the person connecting to the web site (PKI
authentication).
You can require that clients present a certificate alternatively or in
addition to HTTP authentication (see “Offloading HTTP authentication
& authorization” on page 225).
This option appears only if an HTTPS Service is selected, and only
applies if the FortiWeb appliance is operating in reverse proxy mode.
(For transparent proxy mode, configure this setting in the server farm
instead. See Certificate Verification in “Grouping your web servers
into server farms” on page 256.)
Note: The client must support SSL 3.0 or TLS 1.0.
Client Certificate
Forwarding
Enable to include the X.509 personal certificate presented by the
client during the SSL/TLS handshake, if any, in an X-Client-Cert:
HTTP header when forwarding the traffic to the protected web server.
FortiWeb will still validate the client certificate itself, but this can be
useful if the web server requires the client certificate for the purpose
of server-side identity-based functionality.
This option appears only if a Certificate Verification rule is selected.
Certificate
Intermediate
Group
Select the name of a group of intermediate certificate authority (CA)
certificates, if any, that will be presented to clients in order to
complete the signing chain for them to validate the server certificate’s
CA signature.
If clients receive certificate warnings that the server certificate
configured in Certificate has been signed by an intermediary CA,
rather than directly by a root CA or other CA currently trusted by the
client, configure this option.
Alternatively, include the entire signing chain in the server certificate
itself before uploading it to the FortiWeb appliance, thereby
completing the chain of trust with a CA already known to the client.
See “Uploading a server certificate” on page 289 and
“Supplementing a server certificate with its signing chain” on
page 291.
This option appears only if HTTPS Service is enabled and the
FortiWeb appliance is operating in reverse proxy mode.
Persistence
Timeout
Type the timeout for inactive TCP connections.
This option appears only if Deployment Mode is Server Balance or
Transparent Servers.
Setting name Description