Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
Ahmed_Galal
Staff
Staff

Created on ‎01-26-2026 08:04 AM

Article Id 428268

Technical Tip: How to configure mTLS (Mutual TLS) authentication on FortiWeb

Description

This article describes how to configure mTLS (Mutual TLS) authentication on FortiWeb.
Scope

FortiWeb.
Solution

What mTLS authentication is:

 

mTLS (Mutual TLS) authentication is used to mutually authenticate both the client and the server [FortiWeb's server policy] by exchanging and validating certificates during the TLS handshake. 

 

The difference between TLS and mTLS:

 

Typical TLS (HTTPS): FortiWeb presents the server certificate to the client only.

mTLS: FortiWeb presents the server certificate to the client And the client presents its client certificate to FortiWeb together to perform mutual TLS authentication.

 

How to perform mTLS authentication:

  • Part 1: FortiWeb presents its server certificate chain to the client to achieve Server authentication.
  • Part 2: The client presents its client certificate to FortiWeb to achieve Client authentication.

 

How to configure mTLS authentication on FortiWeb:

 

Part (1) Configure FortiWeb to present the server certificate chain:

  1. Import both the intermediate and the root certificates at Server Objects -> Certificate -> intermediate CA.
    Note: Importing only the Intermediate certificate sometimes can be enough however it is recommend to import both the Intermediate and the Root certificates.
  2. Assign the Intermediate and the Root certificates in a Intermediate CA group at Server Objects -> Certificate -> Intermediate CA Group.
  3. Import the Server certificate at Server Objects -> Certificate -> Local.
  4. Assign the complete certificate chain at the server policy: Policy -> Server Policy -> Choose the related policy: Assign the imported certificate chain at 'Certificate' and 'Intermediate CA group'.

 

Part (2) Configure FortiWeb to request the client certificate:

  1. Import the CA Intermediate/root certificate generated from CA that issued the client certificates at Server Objects -> Certificates -> CA.
  2. Apply the imported CA certificate to a CA group at Server Objects -> Certificates -> CA -> CA Group.
  3. Apply the CA group to a Certificate Verify at Server Objects -> Certificates -> Certificate Verify.
  4. Apply the Certificate Verify in the server pool Policy -> Server Policy -> Choose the related policy -> Advanced SSL Settings -> Certificate Verification for HTTPS.

 

Related documents:
How to apply PKI client authentication (personal certificates) 

How to enable Client Certificate Verification in FortiWeb Server Policy 
CA certificates

 

Related Fortinet Library video:
Validating Client Certificates with mTLS Support​ 
17
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.