Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
Ahmed_Galal
Staff
Staff

Created on ‎12-31-2024 01:32 AM Edited on ‎12-31-2024 01:35 AM By Community Manager

Article Id 367165

Troubleshooting Tip: OCSP stapling is not working

Description This article describes how to troubleshoot OCSP Stapling in FortiWeb.
Scope FortiWeb.
Solution
  1. Make sure to select the right local certificate and CA certificate of OCSP server/responder at Server Objects -> Certificates -> OCSP Stapling:

    Screenshot 2024-12-31 093356.png
  2. The OCSP URL must contain either [http:// OR https://] at Server Objects -> Certificates -> OCSP Stapling:

    Screenshot 2024-12-31 093617.png

 

  1. Use the openssl command to verify if the OCSP server working properly:


openssl ocsp -noverify -no_nonce -issuer cacert.pem -cert client03.pem -text -url  http://127.0.0.1:8080/opt/tanlca

Picture1.png
Note 1: cacert.pem is the ocsp CA certificate.
Note 2: client03.pem is the test certificate. to check if it has been revoked.

Note 3: The above sample uses 3 parameters that match FortiWeb configuration, and FortiWeb actually uses this command on the backend to call openssl to verify/test OCSP stapling, then return the result to the frontend.

 

Related articles:

https://help.fortinet.com/fweb/590/Content/FortiWeb/fortiweb-admin/ocsp_stapling.htm
OCSP-Based certificate revocation check
Labels:
85
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.