Technical Tip: Encrypting replacement messages with a custom certificate
Description
This article describes how to configure the FortiGate to sign the ‘Access Denied’ replacement message using a custom certificate instead of the default ‘Fortinet_CA_SSL’ certificate
Solution
In an Explicit Proxy environment, an end-user attempting to browse a URL using HTTP will be returned a denied message such as ‘Access Denied: The page you requested has been blocked by a firewall policy restriction’ in case the access to that URL is denied by an Explicit Proxy Firewall Policy.
In case the same end-user tries browsing the same URL using HTTPS, the user will be returned the same denied message, but this time, the message will be signed using the ‘Fortinet_CA_SSL’ certificate by default.
FortiOS v5.4 – 6.0.
# config user settingFortiOS v6.2.
set auth-ca-cert "<custom_CA_certificate>"
end
# config web-proxy globalOnce the command is executed, the ‘Access Denied: …’ replacement message will be signed using the <custom_CA_certificate>.
set ssl-ca-cert "<custom_CA_certificate>"
end
Related links:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-authentication-54/Certificates.htm#Example_%E2%80%94_Generate_and_Import_CA_certificate_with_private_key_pair_on_OpenSSL
https://docs.fortinet.com/document/fortigate/6.2.0/new-features/769966/web-proxy-global-settings
https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/316620/web-proxy-global
Related Articles