Certificate Help - FortiGate 600D

Question

We need to purchase a public certificate for our FG 600D for IPS. We normally purchase our certs from GoDaddy and I am wondering if the standard one website license is appropriate or if the UCC certificate is appropriate to support other services of our FortiGate device?

Thanks for the help,

Zach

kallbrandt · Answer

Hello,

Are you talking about a certificate for MITM SSL-termination between clients <--> server in order to be able to do IPS/AV scanning on encrypted traffic? In that case - That will not work. You can't buy the issuer/sub-CA cert needed by the Fortigate in order to be able to create new certificates. You'll need your own PKI structure, with a CA-cert that is trusted by all clients. The Fortigate need to be sub-CA since it will terminate the session and pose as the client, then bake a new certificate based on its own issuer-certificate and the answer from the webserver, then present the new certificate to the client, wich won't notice anything at all IF it trusts the root CA.

Or do you need the certificate for the reverse proxy function to an internal webserver? That will work (If you run 5.2.8 and up). Buy a wildcard if doing it for a lot of web servers in the same domain.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded