Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
Khidzir_MN
Staff
Staff

Created on ‎02-24-2025 09:54 PM

Article Id 378659

Troubleshooting Tip: Web application is inaccessible after the Windows Server IIS Centralized Certificate Store (CCS) is enabled for the Real Server

Description This article describes how to fix the issue where the web application is inaccessible after the Windows Server IIS Centralized Certificate Store (CCS) is enabled for the Real Server.
Scope FortiWeb and FortiWeb-VM.
Solution

Windows Server IIS 8.0 and later provides an option to use a Centralized Certificate Store (CCS).
This feature provides an option to store and manage SSL certificates centrally instead of installing the respective server certificate on each of the respective web servers.
The feature uses the Server Name Indication (SNI) information from the client to match with the respective certificate.

 

By Default, FortiWeb does not forward the SNI information from the client to the respective Server Pool member.
This eventually breaks the communication as the Real Server (IIS) is unable to get the SNI information and hence unable to match the correct certificate.


Enable the 'Enable Server Name Indication (SNI) Forwarding' option in the respective Server Pool member so that FortiWeb will forward the SNI information. This option needs to be enabled for every Server Pool member:

 

enable_sni_forwarding.png

 

Related documents:
Central Certificate Store (CCS) with IIS

Defining your web servers
186
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.