Technical Tip: How to import CA certificates into IOS mobile devices
Description
This article describes the issue of iPhone and iPad devices accessing a website that is being protected by FortiGate web filter with SSL Full Inspection.
iPhone and iPad users will get an error prompt of 'Untrusted security certificate'.
This is a known behavior with FortiGate CA certificates on IOS devices, where it is not able to locate the intermediate CA and will show an error message.
This is a known behavior with FortiGate CA certificates on IOS devices, where it is not able to locate the intermediate CA and will show an error message.
Scope
FortiGate, BYOD ('Bring Your Own Device') clients, IOS Mobile Devices.
Solution
There are 2 options to install the CA certificate on IOS/BYOD clients. Either install the CAs to BYOD clients manually or use some sort of MDM (Mobile Device Management) and NAC (Network Access Control) to install the certificates to the BYOD machines, or have a redirection page/captive portal to download the certificate.
If MDM and NAC are not available, the only solution is to download and install the certificate to the IOS/BYOD clients.
To manually download and install the CA certificate from the FortiGate to the clients:
Download the FortiGate CA from the Web-Based Manager (GUI).
- Go to System -> Certificates -> Local Certificates.
- Select Fortinet_CA_SSLProxy (this applies to another certificate that needs to be used for SSL inspection).
- Select Download.
- Save the file Fortinet_CA_SSLProxy.cer (or any other related CA file if another certificate needs to be used).
Follow the steps below to import FortiGate’s CA certificate into an IOS device:
- Download the iPhone configuration utility.
- Make sure the certificate is installed on the machine.
- Launch the tool.
- Select the configuration profiles workspace area.
- Select the new button.
- Under 'General', select a name such as 'Root Certificate Trust', and all other mandatory fields.
- Select the credentials area, and select the configure button.
- Select the certificate to trust, then select OK.
- Connect the iOS device.
- The device will show under Devices. Select it.
- Select the Devices Configuration Profiles tab.
- The new profile will be displayed. Select Install.
- A message will be displayed on the iOS device prompting the user to select Install. Select Install on the device.
- Select 'Install now' to the confirmation.
- A passcode will be requested, then the screen will change to the profile installed. Select the Done button.
Note: In certain iOS versions, the Certificate warning can persist even though the Certificate is installed using an MDM profile under Settings -> General -> About -> Certificate Trust Settings:
In such a scenario, the certificate must also be enabled under the 'Enable full trust for root certificates' sub-section of the Certificate Trust Settings in the MDM profile. This setting must be active for the FortiGate CA certificate in this case:
The new Certificate will be visible under:
Settings > General > VPN & Device Management
Tap the profile.
Verification Steps on iOS.
- Verify that the certificate was installed: Settings -> General -> About -> Certificate Trust Settings -> Enable full trust toggle.
- Verify the certificate chain: Safari -> Go to an HTTPS site using the FortiGate certificate -> Tap lock -> View certificate details.
Related articles:
Technical Tip: How to enable deep inspection and import a certificate in the browser
Technical Tip: How to import FortiGate CA certificates into Android devices