Skip to Content

How to configure Client Certificate Proxy on for FortiWeb real server pool

By: Author Alex Lim

Posted on

Categories Networking

This article describes how to configure the Client Certificate Proxy for the FortiWeb real server pool.

Scope

FortiWeb.

Solution

Prerequisites:

  • FortiWeb Server Policy enabled HTTPS Protocol Service.
  • Obtained CA certificate and CA private encrypted key from a back-end real server.
  • FortiWeb Server Policy enabled Client Certificate Verification, as referred to in Technical Tip: How to enable Client Certificate Verification in FortiWeb Server Policy.

In cases with real back-end servers that authenticate users according to each user’s client certificate, FortiWeb can be configured to re-sign a new certificate according to the client certificate received in the Virtual Server (Client to FortiWeb), and then send a query to the back-end real server for the client’s requests.

After configuring the Client Certificate Verification in FortiWeb Server Policy, continue with the configuration steps below.

Step 1: Log into the FortiWeb GUI and navigate to Server Objects > Certificates > Sign CA.

Log into the FortiWeb GUI and navigate to Server Objects > Certificates > Sign CA.

Step 2: Import the CA root cert and the CA root private key generated from the local server which is used to sign the users’ certificate. Importing may fail with an Internal Server Error if the private key is not passphrase encrypted.

Import the CA root cert and the CA root private key generated from the local server which is used to sign the users’ certificate. Importing may fail with an Internal Server Error if the private key is not passphrase encrypted.

Step 3: Make sure the CA root private key is passphrase encrypted, then import the CA root cert and CA root private key.

Make sure the CA root private key is passphrase encrypted, then import the CA root cert and CA root private key.

Step 4: After importing the Sign CA root certificate and private key, it will show in the Sign CA page with the certificate subject information.

After importing the Sign CA root certificate and private key, it will show in the Sign CA page with the certificate subject information.

Step 5: Now go to the Server Pool page and edit the real server pool that requires the client certificate verification.

Now go to the Server Pool page and edit the real server pool that requires the client certificate verification.

Step 6: Edit the real server settings and go to Advanced SSL settings. Enable the Client Certificate Proxy option, then select the imported Sign CA in step(4). Ensure that SNI Forwarding is enabled in the same setting page.

Edit the real server settings and go to Advanced SSL settings. Enable the Client Certificate Proxy option, then select the imported Sign CA in step(4). Ensure that SNI Forwarding is enabled in the same setting page.

Step 7: Test browse the Webpage that requires the Client Certificate Verification. Select the respective SSL Certificate for the page.

Test browse the Webpage that requires the Client Certificate Verification. Select the respective SSL Certificate for the page.

Step 8: A correct Client SSL Certificate will allow webpage browsing to work as intended.

A correct Client SSL Certificate will allow webpage browsing to work as intended.

Step 9: To further verify if the Client Certificate Proxy is working, create a packet capture in FortiWeb and monitor the back-end real server IP. In the TCP SSL Handshake from the provided example, FortiWeb is sending the re-signed client certificate to the back-end real server.

To further verify if the Client Certificate Proxy is working, create a packet capture in FortiWeb and monitor the back-end real server IP. In the TCP SSL Handshake from the provided example, FortiWeb is sending the re-signed client certificate to the back-end real server.