Technical Tip: Limitations of Let's Encrypt Certificates for SSL/TLS Inspection on FortiGate
| Description | This article describes the limitations of using Let's Encrypt certificates for SSL/TLS inspection on FortiGates. |
| Scope | FortiGate. |
| Solution | FortiGate is capable of generating Let's Encrypt certificates for securing web applications. However, they are not suitable for certificate inspection, deep packet inspection, or SSL/TLS decryption.
This is because Let's Encrypt certificates are server certificates, not CA certificates, and thus cannot perform the decryption and re-encryption required for SSL/TLS inspection. A CA certificate with Basic Constraints set to TRUE is needed for this function, typically achieved with a self-signed certificate generated from tools like Windows AD CS, XCA, or OpenSSL.
Vendors like GoDaddy, DigiCert, GeoTrust, GlobalSign, etc., do not provide such certificates, as they could impose a security risk. |
