Prerequisite:

Enable the Client Certificate Verification in FortiWeb Server Policy by following the guide at the end of this article.

There is a requirement to require a client certificate from a client access for only a specific URL instead of the full website URL.

For example: 

• Client certificate requires access only to https://www.example.com/path1 and https://www.example.com/path2
• No client certificate is required for other URLs for https://www.example.com

FortiWeb provides the option to achieve this requirement using the URL Certificate feature. The feature supports multiple URLs.

Step 1: Create a new URL Certificate rule and specify the respective URLs:

Step 2: Select and apply the URL Certificate rule created in Step1 for the respective Server Policy:

Note:

1. The URL-based Certificate feature does not support HTTP2.
   HTTP2 needs to be disabled in the Server Policy.
                                                               
                                                                                           
2. Also, FortiWeb does not support URL-based Certificate Authentication with TLS1.3 even with PHA enabled on Client-Side. The TLS1.3 needs to be disabled in SSL Connection Settings.

Related documents:
Technical Tip: How to enable Client Certificate Verification in FortiWeb Server Policy

How to apply PKI client authentication (personal certificates)