Using Certificates in HTTPS Clusters
Using Certificates in HTTPS Clusters
The HTTPS protocol supports encrypted, secure communication between clients and servers. It
requires that a Secure Sockets Layer (SSL) authentication handshake occur between a client and a
server in order for a connection request to succeed.
When a client requests an HTTPS connection to a web server, the server (which has already been
set up to support SSL connections) sends a server certificate to the client for verification. The
client checks the content of the certificate against a local database of Certificate Authorities, and
if it finds a match the connection is made. If no match is found (as is often the case with self-
signed certificates), the browser will display a warning and ask if you want to continue with the
connection.
A further level of trust can be enabled by setting the server up to request a client certificate in
addition to the server certificate. Copies of the client certificate are pre-installed on both client
and server. When the server sends the server certificate to the client, it also sends a request for a
certificate from the client. Once the client accepts the server certificate as described above, it
sends the client certificate to the server for verification. The server compares the client certificate
it receives with its local copy of the client certificate, and if they match the connection is made.
Each Layer 7 HTTPS cluster requires a server certificate; client certificates are optional.
Web servers (such as Apache) and browsers (such as Internet Explorer and Firefox) are delivered
with pre-installed Trusted Root Certificates. Trusted Root Certificates are used to validate the
server and client certificates that are exchanged when an HTTPS connection is established.
Equalizer supports self-signed certificates, as well as signed certificates from Trusted Root
Certificate Authorities and from Certificate Authorities (CAs) without their own Trusted Root CA
certificates. If a CA without its own Trusted Root CA certificate issues your certificate, you will
need to install at least two certificates: a server certificate and a chained root (or intermediate)
certificate for the CA. The intermediate certificate associates the server certificate with a Trusted
Root certificate.
806
Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Summary of Contents for Equalizer GX Series
Page 18: ......
Page 32: ...Overview 32 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...
Page 42: ......
Page 52: ......
Page 64: ......
Page 72: ......
Page 76: ......
Page 228: ......
Page 238: ......
Page 476: ......
Page 492: ......
Page 530: ......
Page 614: ......
Page 626: ......
Page 638: ......
Page 678: ......
Page 732: ...Using SNMP Traps 732 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...
Page 754: ......
Page 790: ......
Page 804: ......
Page 842: ......
Page 866: ......