Created on
06-08-2022
12:10 AM
Edited on
02-14-2025
05:46 AM
By
Anthony_E
This article describes how to allow FortiWeb to support multiple server certificates.
FortiWeb v7.0.X and later.
To allow FortiWeb to support multiple certificates, the Server Name Indication (SNI) configuration is needed.
Step 1: SNI policy configuration.
Repeat Step 4 and 5 to add all the server certificates (which are hosted on a single server) in the SNI group.
Reference: Section 'To create an inline Server Name Indication (SNI) configuration' from the following links:
How to offload or inspect HTTPS v7.0.10
How to offload or inspect HTTPS v7.2.10
How to offload or inspect HTTPS v7.4.6
Step 2: Server policy configuration for SNI.
Step 3: (This is necessary if the real server allows only HTTPS service).
CLI syntax:
config server-policy server-pool
edit "<server-pool_name>"
config pserver-list
edit <entry_index>
set server-side-sni enable
next
end
next
end
Note:
Server-side SNI would be necessary if the backend connection is over HTTPS. As the server has multiple certificates, it should know which certificate should be presented during the SSL handshake.
With the above configuration, FortiWeb forwards the request from the client to the server with SNI extension which is verified by the server to present the appropriate certificate.
Related document:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.