Technical Tip: SSL inspection on multiple FortiGates using the same certificate (OpenSSL method)
Description
To avoid certificate warnings when performing SSL Inspection, the CA certificate in the SSL Inspection profile must be imported into the users’ web browser.
Commonly, it is desired for multiple FortiGates to utilize the same certificate in their SSL Inspection profiles, so network administrators don’t have to manage and import multiple certificates into their users’ web browsers.
This article explains an efficient way to do this using OpenSSL.
Commonly, it is desired for multiple FortiGates to utilize the same certificate in their SSL Inspection profiles, so network administrators don’t have to manage and import multiple certificates into their users’ web browsers.
This article explains an efficient way to do this using OpenSSL.
Scope
Fortinet devices running FortiOS 5.0 and above.
Solution
Method 1: FortiGates perform SSL inspection as an intermediate CA with a certificate issued by a company's private root CA (Preferred Method),
- Download and install OpenSSL for the operating system.
- Generate a RSA private key using OpenSSL.
openssl.exe genrsa -out private.key 2048
Note: the private key file generated above should be kept secure. Anyone who obtains this private key can impersonate the FortiGate.
- Generate a certificate signing request (CSR) using this private key.
openssl.exe req -out mycsr.csr -key private.key -new -sha256
- Submit this CSR to be signed by the private certificate authority (CA) of choice.
It is required that when the private CA signs this CSR, the new certificate is made an intermediate CA of the private CA.
If this has been done correctly, viewing the certificate details will show X509v3 Key Usage: Certificate Sign and X509v3 Basic Constraints: CA:TRUE.
Commonly, network administrators will utilize FortiAuthenticator or Active Directory Certificate Services on the Windows Domain Controller to sign this CSR.
A public CA (GoDaddy, VeriSign, etc) will never issue an intermediate CA certificate that can be used for SSL inspection. They are contractually prohibited.
- Import both the certificate from Step 4 and the private key from Step 2 into all desired FortiGates by navigating to the Certificates section in the web GUI and selecting Import -> Local Certificate -> Type: Certificate.
- In your SSL Inspection profile(s), select the newly imported certificate as the CA certificate for the profile.
- Download and install OpenSSL for the operating system.
- Generate a RSA private key using OpenSSL.
openssl.exe genrsa -out private.key 2048
Note: The private key file generated above should be kept secure. Anyone who obtains this private key can impersonate the FortiGate.
- Generate a root CA certificate using this private key.
openssl.exe req -x509 -new -nodes -key private.key -sha256 -days 1825 -extensions v3_ca -out mycertificate.crt
- Import both the certificate from Step 3 and the private key from Step 2 into all desired FortiGates by navigating to the Certificates section in the web GUI and selecting Import -> Local Certificate -> Type: Certificate.
- In the SSL Inspection profile(s), select the newly imported certificate as the CA certificate for the profile.
Note that OpenSSL is a third party tool and while helpful, it is not supported by Fortinet.
Related articles:
- Technical Tip: Extract a Private Key and Public Certificate from a FortiGate/FortiWiFi configuration
- Technical Tip: Moving or copying a Certificate and its Private Key to another FortiGate or FortiWiFi
- Technical Tip: How to avoid certificate error message by chaining Root CA and Intermediate CA certificates on FortiGate