Description
This article describes how to allow FortiWeb to support multiple server certificates.
Scope
FortiWeb v7.0.X and later.
Solution
To allow FortiWeb to support multiple certificates, the Server Name Indication (SNI) configuration is needed.
Step 1: SNI policy configuration.
- Go to Server Objects -> Certificates -> Local.
- Import all the server certificates.
- Go to Server Objects -> Certificates -> Inline SNI.
- Create a profile, and under this profile, again select on 'Create new'.
- Specify the domain, select the local certificates and corresponding Intermediate CA group if any.
Repeat Step 4 and 5 to add all the server certificates (which are hosted on a single server) in the SNI group.
Reference: Section 'To create an inline Server Name Indication (SNI) configuration' from the following links:
- Once selected HTTPS service in the server policy, 'Advanced SSL settings' will be visible.
- Select 'Advanced SSL settings'.
- Enable 'Enable Server Name Indication(SNI)'.
- Under 'SNI Policy', select the new SNI group configured using all the server certificates.
- Select OK.
Step 3: (This is necessary if the real server allows only HTTPS service).
- Go to Server Objects > Server Pool.
- Edit the appropriate server pool entry.
- 'Double-click' the pool member.
- Enable 'Enable Server Name Indication(SNI) Forwarding' under 'Advanced SSL settings'.
CLI syntax:
config server-policy server-pool
edit "<server-pool_name>"
config pserver-list
edit <entry_index>
set server-side-sni enable
next
end
next
end
Note:
Server-side SNI would be necessary if the backend connection is over HTTPS. As the server has multiple certificates, it should know which certificate should be presented during the SSL handshake.
With the above configuration, FortiWeb forwards the request from the client to the server with SNI extension which is verified by the server to present the appropriate certificate.
Related document:
Defining your web servers
