Skip to main content
Johan_de_Koning
Johan_de_Koning
New Member
May 2, 2017
Question

Fortigate 600D generates SSL warnings on Warning pages.

  • May 2, 2017
  • 2 replies
  • 8812 views

Hiya,

 

Reproducable Setup:

- SSL Inspection on.

- Proxy mode on.

- Warning page set on Cloud category.

- Browser: Chrome 56.

 

When using the Warning functionality for a category i get a warning when pressing proceed to visit the webpage. 

 

on IE11 it works fine but in Google Chrome i get a warning, the certificate it uses is "Fortinet_CA_SSLProxy (CA)" that one is SHA1 and could be the problem.

However when signing a new trusted CA Certificate with SHA2 and chaning it in config user setting to the new SHA2 CA certificate i still get a warning AND the warning page doesnt event work anymore in IE11.

 

Certificate error with chain on the standard Fortinet_CA_SSLProxy Certificate which is SHA1.

Picture

 

 

Certificat error with chain on the new SHA2 certificate.

Picture

 

I appreciate it if someone can elaborate on this.

 

------------------------

Config i changed to use the new certificate

-------------------------

config user setting set auth-type http https ftp telnet set auth-cert '' set auth-ca-cert "Fortinet_CA_SSLProxy" -> Changed to new SHA2 CA Certificate.

---------

 

    2 replies

    Eric_Xavier1
    Eric_Xavier1
    New Member
    May 4, 2017
    Hello, See if this link can help you:   http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD37095   Att.   Eric Xavier Analyst Telecom and Networking eric.xavier@nct.com.br
    hmtay_FTNT
    Staff
    hmtay_FTNT
    Staff
    May 4, 2017

    Hello Johan,

     

    In your first case, you have the chain correct. FortiGate CA -> 162.125.65.1.

     

    In your second case, the error shows that it is not able to form the chain. Did you import the new Trusted CA Certificate into the system?

     

    >>------------------------ Config i changed to use the new certificate ------------------------- config user setting set auth-type http https ftp telnet set auth-cert '' set auth-ca-cert "Fortinet_CA_SSLProxy" -> Changed to new SHA2 CA Certificate. ---------

     

    If you are trying to use the new certificate to do a Man-in-the-Middle, the configuration to modify it is at "config firewall ssl-ssh-profile", "edit deep-inspection". That is where the Certificate that is used to intercept the SSL sessions is used.

     

    I hope I understood your problem correctly!

    HoMing

    Johan_de_Koning
    Johan_de_KoningAuthor
    New Member
    May 8, 2017

    Thanks and i think both of you are wrong.

     

    This is not the Deep Inspection certificate we are talking about, its the user authentication certificate used for the capture portal to give a warning page.

    I consulted with my Technical Consultant and we try'd several configurations but all keep pointing to the builtin Fortigate CA when it generates the blob page after clicking proceed. Even after following this KB to the letter. http://kb.fortinet.com/kb....do?externalID=FD37342

    Seems like a bug, he is checking if we can make a case to Fortinet or if we need to upgrade to 5.4 since the builtin certificate is renewed by a SHA2 and the problem should be resolved.

    Terms & ConditionsAccessibility statement