Updating SSL Certificate in FortiWeb Server Policy
Preface
SSL certificate is an important part of a web application. Without a valid one, your website is probably either:
- Using plain HTTP, making the traffic to your website be easily read by anyone;
- Using invalid or untrusted certificate over HTTPS, which while still encrypting the traffic, it would throws a browser error at your user.
If you are using FortiWeb and want to offloading/terminating SSL to it, then you need to add the certificate that your websites use to the FortiWeb Server Policy---and update it when the old certificate get expired.
Prerequisite
Things to make sure:
- You have access to the FortiWeb;
- You already have the SSL certificate at hands. If you haven’t have one, you probably need to generate the CSR and request the certificate to the holder of Certificate Authority. To generate a CSR, you can read the post here.
Most of the time, for the FortiWeb, you just need the following two:
- The SSL certificate itself (
.crt
or.cer
); - The intermediate certificate (also
.crt
or.cer
).
Assumption
In this post, we assume that all other needed configuration (like the Virtual Server, Server Policy, etc) other than needed for certificates is already configured.
Procedure
- Access the FortiWeb web UI;
- Upload the certificate file:
- Open the Server Objects → Certificates → Local menu;
- Select the
Import
button; - In the newly opened window, for the
Type
, selectLocal Certificate
, and inCertificate file
, upload the SSL.crt
file of the web applications you want to update; - Select
OK
.
- Upload the intermediate certificate file:
- Open the Server Objects → Certificates → Intermediate CA menu;
- In Intermediate CA tab, select the
Import
button; - In the newly opened window, enable
Local PC
button, selectUpload
, and then upload the.crt
intermediate certificate file; - Select
OK
; - The file will be saved into a new numbered entry, usually
Inter_Cert_x
. Note the name/number of the entry; - Open the Intermediate CA Group tab, and then select
Create New
; - In the newly opened window, for the
Name
, we can just use the same name file of the intermediate certificate; - Select
OK
; - Select
Create New
; - In the newly opened window, choose the previously created intermediate CA entry.
- Select
OK
again.
- Add/update the certificate in the Policy Server:
- Open the Policy → Server Policy menu;
- Select the policy name that you want to add/update the SSL certificate;
- In the newly opened Edit Policy window, configure the following:
- In
Certificate Type
option, selectLocal
; - In
Certificate
option, choose the certificate for the server policy domain you uploaded previously; - In
Certificate Intermediate Group
option, choose the intermediate certificate you uploaded previously; - Select
OK
.
- In
Conclusion
At this point, the SSL certificate should be added/renewed to your backend applications. You can check them by going to the applications itself, and check the validity and expire date of the website certificate.