Updating SSL Certificate in FortiWeb Server Policy

Preface

SSL certificate is an important part of a web application. Without a valid one, your website is probably either:

  1. Using plain HTTP, making the traffic to your website be easily read by anyone;
  2. Using invalid or untrusted certificate over HTTPS, which while still encrypting the traffic, it would throws a browser error at your user.

If you are using FortiWeb and want to offloading/terminating SSL to it, then you need to add the certificate that your websites use to the FortiWeb Server Policy---and update it when the old certificate get expired.

Prerequisite

Things to make sure:

  1. You have access to the FortiWeb;
  2. You already have the SSL certificate at hands. If you haven’t have one, you probably need to generate the CSR and request the certificate to the holder of Certificate Authority. To generate a CSR, you can read the post here.

Most of the time, for the FortiWeb, you just need the following two:

  • The SSL certificate itself (.crt or .cer);
  • The intermediate certificate (also .crt or .cer).

Assumption

In this post, we assume that all other needed configuration (like the Virtual Server, Server Policy, etc) other than needed for certificates is already configured.

Procedure

  1. Access the FortiWeb web UI;
  2. Upload the certificate file:
    1. Open the Server Objects Certificates Local menu;
    2. Select the Import button;
    3. In the newly opened window, for the Type, select Local Certificate, and in Certificate file, upload the SSL .crt file of the web applications you want to update;
    4. Select OK.
  3. Upload the intermediate certificate file:
    1. Open the Server Objects Certificates Intermediate CA menu;
    2. In Intermediate CA tab, select the Import button;
    3. In the newly opened window, enable Local PC button, select Upload, and then upload the .crt intermediate certificate file;
    4. Select OK;
    5. The file will be saved into a new numbered entry, usually Inter_Cert_x. Note the name/number of the entry;
    6. Open the Intermediate CA Group tab, and then select Create New;
    7. In the newly opened window, for the Name, we can just use the same name file of the intermediate certificate;
    8. Select OK;
    9. Select Create New;
    10. In the newly opened window, choose the previously created intermediate CA entry.
    11. Select OK again.
  4. Add/update the certificate in the Policy Server:
    1. Open the Policy Server Policy menu;
    2. Select the policy name that you want to add/update the SSL certificate;
    3. In the newly opened Edit Policy window, configure the following:
      1. In Certificate Type option, select Local;
      2. In Certificate option, choose the certificate for the server policy domain you uploaded previously;
      3. In Certificate Intermediate Group option, choose the intermediate certificate you uploaded previously;
      4. Select OK.

Conclusion

At this point, the SSL certificate should be added/renewed to your backend applications. You can check them by going to the applications itself, and check the validity and expire date of the website certificate.

References