Skip to main content
Faulty_Male
Faulty_Male
New Member
August 14, 2013
Question

Certificate Problems with SSL/SSH Inspection

  • August 14, 2013
  • 12 replies
  • 16499 views
We are currently running a pair of FG100c' s in AA HA mode with multiple VDOM' s. We are currently running v5.4. We are having problems with HTTPS traffic, when we enable SSH/SSL inspection all https sites come up with a certificate error. It has been mentioned on the forums the way around this is to install the fortinet cert on every machine however this is not possible with our setup. When we are on v4.x we installed our own public cert and used this without problem however under SSL/SSH inspection there is only the option to select the inbuilt Fortigate certificate. Has anyone else had this issue and is there and fix? Any help would be great.

    12 replies

    vanc
    vanc
    New Member
    August 14, 2013
    If you enable deep inspection, you have to face the certificate issue. The only way FGT can inspect SSL/SSH sessions is to replace the server certificates with its own, so that it can intercept the key exchange process. You can buy properly signed certificates from well established CAs, such as VeriSign, or you can create self signed certificates. Either way, you have to install the new certificates on your PCs. If you cannot do that, you have to either let users face certificate errors, or disable the deep inspection altogether.
    Faulty_Male
    Faulty_MaleAuthor
    New Member
    August 15, 2013
    We already have a certificate which has been installed and works correctly for the administration login (to stop the certificate error). However we do not get the option to select this certificate under the SSL/SSH Inspection section. If we could select our own certificate a suspect this would solve the issue. On v4.x we enabled our certificate globally via the CLI however there does not seem to be this option in 5.4
    Faulty_Male
    Faulty_MaleAuthor
    New Member
    August 16, 2013
    Is there any way to do https web filtering without SSL/SSH inspection like we could on v4.x?
    Dipen
    Dipen
    New Member
    August 29, 2013
    Hi Doesn' t work for me even on Ver 4.3.x. How were you working with HTTPS Filtering on 4.3.x. Please guide.
    Faulty_Male
    Faulty_MaleAuthor
    New Member
    August 29, 2013
    Just tick the HTTPS scanning option under the web filter profile
    Faulty_Male
    Faulty_MaleAuthor
    New Member
    August 29, 2013
    I can get this working using the fortinet certificate but when I import our own certificate there is only the fortinet certificate in the drop down box so I cannot select our own one. I have logged a ticket with support and asked for this to be raised as a bug.
    Maik
    Maik
    New Member
    August 29, 2013
    there are different certificates for different purposes / roles. what a certificates purpose is, is defined as " key usage" for SSL Inspection, the fortigate generates on the fly a new certificate for the website. generating new certificates is the role of a CA. to replace the Fortigate default Certificate you need to import a CA type certificate. making the adressbar " green" when you visited your fortigate admin GUI is a different key usage (Server Authentication). This certificate has been issued by a CA.
    Bromont_FTNT
    Staff
    Bromont_FTNT
    Staff
    August 29, 2013
    I would be very surprised if a CA issued anyone a key signing certificate, and if they did I would think the major browsers would revoke that CA from the browser store. Best option for PCs in a domain environment is to issue a key signing certificate from your domain controller and use that on the Fortigate for SSL deep inspection. Domain member PCs will trust this certificate, IE and Chrome would not give warnings but Firefox still will.
    Bromont_FTNT
    Staff
    Bromont_FTNT
    Staff
    September 11, 2013
    Yes the certificate should show up under local certificates... and if it' s a key signing cert then you should be able to choose it as the CA certificate under the SSL inspection options
    theXfactor82
    theXfactor82
    New Member
    September 11, 2013
    Has Fortinet gotten back to you on the issue with not being able to select it within the SSL inspection options?
    Bromont_FTNT
    Staff
    Bromont_FTNT
    Staff
    September 11, 2013
    If the certificate you import is a server certificate then it won' t show up in the SSL inspection options... You must use a key signing certificate, look at the extensions and see if CA:TRUE or cert signing is present.
    pchechani_FTNT
    Staff
    pchechani_FTNT
    Staff
    September 11, 2013
    Until your certificate don' t have the extensions like below: It will not show up in SSL/SSH list Extension Name: X509v3 Basic Constraints Critical: no Content: CA:TRUE ==> this is required when you order or create your own certificate.
    theXfactor82
    theXfactor82
    New Member
    September 12, 2013
    CA:TRUE on my cert. It' s working on our Production 1240B running 4.3.12 but I' m trying to put in on a Dev Lab 100D running 5.0.4 and it won' t show up.
    Bromont_FTNT
    Staff
    Bromont_FTNT
    Staff
    September 12, 2013
    Xfactor... when you upload it says it uploaded successfully but then do you see in in the local certificates? System ----> Certificates ----> Local Certificates
    theXfactor82
    theXfactor82
    New Member
    September 12, 2013
    Bromont...correct. It says it uploaded successfully but is nowhere to be found. I copied the cert off my domain controller in a .p12 format. After using OpenSSL I have two files. One is a .crt the other .key
    theXfactor82
    theXfactor82
    New Member
    September 12, 2013
    Also wanted to point out that these two files uploaded successfully to our Prod 3240C running 4.3.12 but not to the Dev 100D running 5.0.4. I' m thinking it' s something to do with the new firmware.
    Show more replies
    Terms & ConditionsAccessibility statement