Skip to main content
fropert_FTNT
Staff
fropert_FTNT
Staff
June 16, 2015

Technical Tip: How to regenerate the Fortinet_CA_SSLProxy CA certificate used for SSL inspection

  • June 16, 2015
  • 0 replies
  • 5453 views

Description

 

FortiCache product support SSL inspection. It is recommended for security reasons that the CA certificate used for SSL inspection should be unique per FortiCache deployment.  This has been mentioned by the Mitre Corporation in CVE-2012-4948.
 
Scope
 
FortiCache.


Solution


As of FortiCache v3.0.4, a new CLI command to regenerate the default SSL inspection CA certificate has been introduced. The following command must be executed to guarantee the uniqueness of the Fortinet_CA_SSLProxy CA certificate:

FortiCache # exec vpn certificate local generate default-ssl-ca

Once completed, it can be observed using the following commands that the default CA certificate has been regenerated:

FortiCache # config vpn certificate local

FortiCache (local) # edit Fortinet_CA_SSLProxy

FortiCache (Fortinet_CA_SSLProxy) # get

name                : Fortinet_CA_SSLProxy
password            : *
private-key         : *
certificate         :
    Subject:     C = U S, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FortiGate CA, emailAddress = support@fortinet.com
    Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FortiGate CA, emailAddress = support@fortinet.com
    Valid from:  2015-06-16 12:26:20  GMT
    Valid to:    2025-06-16 12:26:20  GMT
    Fingerprint: 32:AC:D7:E2:9E:66:A4:A6:BE:85:0C:20:D0:A9:1E:EB
    Root CA:     Yes
    Version:     3
    Serial Num:
        3c:53:66:6f:87:4e:8f:76
    Extensions:
        Name:     X509v3 Basic Constraints
        Critical: no
        Content:
        CA:TRUE

Another solution is to configure FortiCache to import and use the customer's own CA certificate for SSL inspection. The configuration steps to import a CA certificate are available in the FortiCache administration guide in the Fortinet Document Library:

The selection of the appropriate CA certificate can be performed via GUI or using the following CLI commands:

Note: Multiple CA certificates can be configured - one per deep inspection profile:

config firewall deep-inspection-options

    edit "web"

        set caname

    next

end

The Fortinet_CA_SSLProxy certificate could be deployed in browsers to be detected as a trusted certificate authority.  It is exportable to a remote TFTP server using the following CLI command:

exec vpn certificate local export tftp Fortinet_CA_SSLProxy Fortinet_CA_SSLProxy.cer 192.168.1.1

It is also exportable from the local certificates GUI menu:

fropert_PSIRT_forticache_certificate.png

The FortiCache CA certificate used for SSL inspection can be imported into any browser using the Fortinet_CA_SSLProxy.cer file. Upload instructions should be available in the browser help documentation.

Starting from FortiOS 5.4, the certificate 'Fortinet_CA_SSLProxy' was replaced with 'Fortinet_CA_SSL'.

Terms & ConditionsAccessibility statement