FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
kmak
Staff
Staff
Article Id 319618
Description This article describes how to configure the Client Certificate Proxy for the FortiWeb real server pool.
Scope FortiWeb.
Solution

Prerequisites:

 

In cases with real back-end servers that authenticate users according to each user’s client certificate, FortiWeb can be configured to re-sign a new certificate according to the client certificate received in the Virtual Server (Client to FortiWeb), and then send a query to the back-end real server for the client’s requests.

 

To configure Client Certificate Verification in FortiWeb Server Policy, refer to Technical Tip: How to enable Client Certificate Verification in FortiWeb Server Policy

 

After configuring the Client Certificate Verification in FortiWeb Server Policy, continue with the configuration steps below.

 

  1. Log into the FortiWeb GUI and navigate to Server Objects -> Certificates -> Sign CA.      
kmak_0-1717820089735.jpeg

 

  1. Import the CA root cert and the CA root private key generated from the local server which is used to sign the users’ certificate. Importing may fail with an Internal Server Error if the private key is not passphrase encrypted.
kmak_1-1717820089739.jpeg

 

  1. Make sure the CA root private key is passphrase encrypted, then import the CA root cert and CA root private key.
kmak_2-1717820089741.jpeg

 

  1. After importing the Sign CA root certificate and private key, it will show in the Sign CA page with the certificate subject information.
kmak_3-1717820089743.jpeg

 

  1. Now go to the Server Pool page and edit the real server pool that requires the client certificate verification.
kmak_4-1717820089746.jpeg

 

  1. Edit the real server settings and go to Advanced SSL settings. Enable the Client Certificate Proxy option, then select the imported Sign CA in step(4). Ensure that SNI Forwarding is enabled in the same setting page.
kmak_5-1717820089750.jpeg

 

  1. Test browse the Webpage that requires the Client Certificate Verification. Select the respective SSL Certificate for the page.
kmak_6-1717820089752.jpeg

 

  1. A correct Client SSL Certificate will allow webpage browsing to work as intended.
kmak_7-1717820089753.jpeg

 

  1. To further verify if the Client Certificate Proxy is working, create a packet capture in FortiWeb and monitor the back-end real server IP. In the TCP SSL Handshake from the provided example, FortiWeb is sending the re-signed client certificate to the back-end real server.
kmak_8-1717820089762.jpeg

 

Related document:

Seamless PKI integration - FortiWeb administration guide.

Contributors