Description
This article describes how FortiGate products support SSL inspection. It is recommended that the CA certificate used for SSL inspection is unique to each FortiGate deployment for security reasons. This has been mentioned by the Mitre Corporation in CVE-2012-4948.
Scope
FortiGate.
Solution
To regenerate the default SSL inspection CA certificate, the following command must be executed to guarantee the uniqueness of the Fortinet_CA_SSLProxy CA certificate:
FortiGate # exec vpn certificate local generate default-ssl-ca
Once completed, it can be observed using the following commands that the default CA certificate has been regenerated:
FortiGate # config vpn certificate ca
FortiGate (local) # edit Fortinet_CA
FortiGate (Fortinet_CA_SSLProxy) # get
name : Fortinet_CA
ca :
Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-ca2, emailAddress = support@fortinet.com
Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-ca2, emailAddress = support@fortinet.com
Valid from: 2016-06-06 20:27:39 GMT
Valid to: 2056-05-27 20:27:39 GMT
Fingerprint: 40:AF:CC:2D:08:D5:E7:51:57:FE:E3:EB:EF:73:E0:A9:0E:04:00:56:3D:6F:94:0C:5E:BE:E8:0D:D4:FF:54:05
Root CA: Yes
Version: 3
Serial Num:
00
Extensions:
Name: X509v3 Subject Key Identifier
Critical: no
Content:
A3:31:AF:A3:48:EE:A1:E2:5F:B1:F2:FD:D6:FB:41:48:50:1B:3A:75
Name: X509v3 Authority Key Identifier
Critical: no
Content:
A3:31:AF:A3:48:EE:A1:E2:5F:B1:F2:FD:D6:FB:41:48:50:1B:3A:75
Name: X509v3 Basic Constraints
Critical: yes
Content:
CA:TRUE
Name: X509v3 Key Usage
Critical: yes
Content:
Digital Signature, Certificate Sign, CRL Sign
range : global
source : factory
ssl-inspection-trusted: enable
scep-url :
est-url :
source-ip : 0.0.0.0
ca-identifier :
Another solution is to configure FortiOS to import and use the user's own CA certificate for SSL inspection. The configuration steps to create and import a CA certificate for deep packet inspection using Microsoft: Microsoft CA deep packet inspection. config firewall ssl-ssh-profile
edit "web"
set caname
next
end
Multiple CA certificates could be configured, one per proxy options profile:
config firewall deep-inspection-options
edit "web"
set caname
next
end
One CA certificate is used for all inspected traffic:
config firewall ssl setting
set caname
end
The Fortinet_CA_SSL certificate could be deployed in browsers to be detected as a trusted certificate authority. It is exportable to a remote TFTP server using the following CLI command:
exec vpn certificate local export tftp Fortinet_CA_SSL Fortinet_CA_SSL.cer 192.168.1.1
It is also exportable from the local certificates GUI menu. If 'certificates' is not shown in the GUI, enable it under feature visibility: System -> Feature Visibility -> Certificates:
The FortiGate CA certificate used for SSL inspection can be imported into any browser using the Fortinet_CA_SSL.cer file. Upload instructions should be available in the browser help documentation.
Note: Since FortiOS 5.4, 'Fortinet_CA_SSLProxy' is replaced with 'Fortinet_CA_SSL'. There might be scenarios where the same configuration has been passed on from the previous FortiOS versions, and the certificate with the name 'Fortinet_CA_SSLProxy' expires now, as it has 10 years of validity. While regenerating the certificate, the device will regenerate it with the name 'Fortinet_CA_SSL' in newer versions, and the older certificate will still show in expired status. Delete the certificate and continue using the new certificate.
