Technical Tip: How to enable deep inspection and import a certificate in the browser
Description
This article describes how to enable a deep inspection profile in the Firewall Policy and import the certificate in the browser to avoid certificate warnings.
Scope
FortiGate.
Solution
When in the policy multiple security profiles is being added and a full SSL inspection or 'deep-inspection' profile is required to be used a message will be shown in the policy that the endpoint user may experience a certificate warning. To get rid of the warning the certificate that is being used in the security profile in SSL & SSH inspection needed to be installed in the trusted root certificate store of the endpoint.
As the full SSL inspection certificate mostly requires a certificate generated by private CA the browser might not trust the certificate that is being used for the inspection which leads to the work of inserting it into the trusted root certificate on the workstation.
Here is an example of the error that can appear in the browser for a certificate that is not trusted and is being used for full SSL inspection:
- On the FortiGate, go to Security Profiles -> SSL/SSH Inspection and select 'deep-inspection'.
- The default CA Certificate is Fortinet_CA_SSL.
- Select 'Download'.
- On the user's computer, select the downloaded certificate file and select 'Open'.
- Select 'Install Certificate' to launch the certificate import wizard and use the wizard to install the certificate into the trusted root certificate authorities store.
If a security warning appears, select 'Yes' to install the certificate. Verify if the certificate was successfully added in the right place:
Note:
Install a certificate with trusted root authority only.
- On the FortiGate, go to Policy & Objects -> IPv4 Policy and edit the policy. Starting from FortiOS 6.4.0, it is under Policy & Objects -> Firewall Policy.
- Under the section 'SSL Inspection', select 'deep-inspection'.
- Select OK to save the changes.
Refer to this document for more information: Obtain, setup, and download an SSL certificate package from a certificate authority
Continuing the Importing Certificate section:
- Upload the local certificate file, then select OK.
- The status of the certificate will change from PENDING to OK.
- Select Import -> CA Certificate.
- Set the Type to File, upload the CA certificate file, and then select OK.
The CA certificate will be listed in the CA Certificates section of the certificates list.
Important Note:
Deep inspection only works if there is at least one Security Profile enabled. Without a Security Profile enabled, deep inspection is not triggered.
Note:
If a certificate needs to be imported to macOS, use the Keychain Access application. On the Keychain app, select File -> Import Items, then select the certificate, select system keychain, and select Open.
Once the certificate is imported, double-click the certificate, go to the Trust section, and set it to 'Always Trust'.
Certificate deployment requirement:
When enabling Deep Inspection, the FortiGate CA certificate must be trusted by client devices. If the certificate is not installed on endpoints, users may receive browser warnings such as 'Your connection is not private' or 'Certificate not trusted'.
In managed environments, it is recommended to distribute the FortiGate CA certificate using centralized tools such as Active Directory Group Policy (GPO) or endpoint management platforms like Intune, SCCM, or other MDM solutions to ensure clients trust the inspection certificate.
Related articles: