Skip to main content
Bojojo
Bojojo
New Member
October 30, 2025
Question

Fortigate SSL deep inspection

  • October 30, 2025
  • 2 replies
  • 576 views

Hi, If I use Microsoft Enterpise CA in my domain to issue a SUB CA for Fortigate to do deep inspection, do I need to deploy SUB CA on the clients system, especialy Linux, or I just need my ROOT CA certificate? 

2 replies

AEK
SuperUser
AEK
SuperUser
October 30, 2025

Hi Bojojo

If I'm not wrong, for domain joined clients, the sub CA cert should be automatically pushed by AD. This should be the same for Linux if it is domain joined.

Now regarding your question, I may not have the full answer, but I think that if the server (accessed by the client) provides the certificate chain, it "should" be trusted even if the client doesn't have the sub CA cert.

 

AEK
    Bojojo
    BojojoAuthor
    New Member
    October 30, 2025

    Hi AEK, 

     

    Thank you for your fast reply!


    For Windows is not a problem, we can do it with GPO at last...


    But for Linux is not so easy, because Ansible is not 100% successful. If you said so that every domain joined computers also get subordinate certs, always, that is great, but I read that not always the case.

    But what if I have also non-domain joined linux hosts? 

    Question was, what if I have only ROOT CA in such hosts, is it enough for chain of trust?
    I read about that Fortigate can send to client SUB cert also, so you don't need SUB on clients...

     

     

    Cajuntank
    Cajuntank
    Contributor III
    October 31, 2025

    It kind of depends. I know you have only defined the operating system, but in the end, I am assuming the primary application need for this, is the browser app of choice. In the past, I have had issues with Safari, for example, by not having the complete trusted chain (so both root and sub CA certificates). Browsers have gotten better to download missing intermediates to build a complete chain; however, that is for public CAs. Not sure how that would work with private CAs... but for compatibility, performance, and avoiding errors, I think deploying the full chain would be the best bet.

    Bojojo
    BojojoAuthor
    New Member
    October 31, 2025

    Thank you. We will try to implement SSL inspection only with the Root CA installed on the Linux host and force Forti to send the Sub + leaf. You can expect a response on whether we succeeded or not.

    Terms & ConditionsAccessibility statement