Skip to main content
AtiT
AtiT
New Member
August 23, 2013
Question

How to enable 3rd party SSL certificate and CA certificate?

  • August 23, 2013
  • 3 replies
  • 10264 views
Hi, I have a little problem and I don' t know what I' m doing wrong. I have a user(local) certificate and CA certificate from customer. I uploaded them to the FTG. What I need to enable them. The customer has a web server behind the FTG with HTTPS access. I need to allow the CA certificate. When a client open the HTTPS site it gives him the FTG built in certificate. The second is that I also need to change the default Fortinet_CA_SSLProxy certificate for the customer' s one. Here is the problem: the certificates: THP_LAB # get vpn certificate ca == [ Fortinet_CA ] name: Fortinet_CA == [ Fortinet_CA2 ] name: Fortinet_CA2 == [ PositiveSSL_CA ] name: PositiveSSL_CA == [ CA_Cert_2 ] name: CA_Cert_2 THP_LAB # get vpn certificate local == [ Fortinet_Factory ] name: Fortinet_Factory == [ Fortinet_Factory2 ] name: Fortinet_Factory2 == [ Fortinet_Firmware ] name: Fortinet_Firmware == [ Fortinet_CA_SSLProxy ] name: Fortinet_CA_SSLProxy == [ Fortinet_Wifi ] name: Fortinet_Wifi == [ cert ] name: cert THP_LAB # get firewall ssl setting caname : Fortinet_CA_SSLProxy cert-cache-capacity : 100 cert-cache-timeout : 10 no-matching-cipher-action: bypass proxy-connect-timeout: 30 session-cache-capacity: 500 session-cache-timeout: 20 ssl-dh-bits : 1024 ssl-max-version : tls-1.0 ssl-min-version : ssl-3.0 ssl-send-empty-frags: enable THP_LAB (setting) # set caname Available Certificates: Fortinet_CA_SSLProxy Fortinet_CA_SSLProxy THP_LAB (setting) # -------- where is the imported certificate? I cannot choose it. Where is the certificate for the server? Where I can enable it? The system global settings enables me to set something but it not helped: THP_LAB # get sys glob admin-server-cert : cert auth-cert : cert user-server-cert : cert wifi-ca-certificate : PositiveSSL_CA wifi-certificate : Fortinet_Wifi THP_LAB # Only when I am loging into the FTG i can see the assigned certificate - " admin-server-cer" works but nothing else, everywhere I can see the FTG default certificate. v4.3.12 Any ideas?

    3 replies

    Faulty_Male
    Faulty_Male
    New Member
    August 29, 2013
    I have the same issue on 5.0.4 we can see the cert is uploaded but then we try to use it under SSL/SSH inspection it is not there. I have raised a ticket with Fortinet TAC for v5.0.4
    Bromont_FTNT
    Staff
    Bromont_FTNT
    Staff
    August 29, 2013
    For access to the server behind the Fortigate you should be using the Fortigate load balance feature (you can use this even if you only have 1 real server) you' ll then set up SSL offloading where you can choose the server certificate. For the SSL proxy certificate for Deep Inspection you' ll need a key signing certificate which you will need to generate yourself (no CA will issue one of those), in a domain environment your best bet is to issue the certificate from your domain controller, domain member PCs will trust this cert.
    AtiT
    AtiTAuthor
    New Member
    September 3, 2013
    Hi, Faulty_Male - The customer has older version of OS but I tested it in the LAB and it is the same for me, the version 5.0.4 probably has a bug. Bromont - maybe it works I didn' t try it. However the docuenatiton doesn' t say anything about to use load ballancing when I want to enable certificates. I have all the certificates installed but cannot enable them. But probably the customer sent " wrong" certificates because another customer just sent me certificate for SSL inspection (local certificate) and I could enable it and it' s working. I don' t know where is the problem.
    Bromont_FTNT
    Staff
    Bromont_FTNT
    Staff
    September 3, 2013
    For SSL inspection you need a key signing certificate, this is required in order to do the man-in-the-middle attack and inspect the traffic. A regular SSL server certificate like you have for your website will not work. A CA won' t issue you this type of certificate, you' ll need to generate your own with OpenSSL or on your domain controller. To inspect traffic on a web server behind the Fortigate you should be using the SSL offloading feature found in the load balancing section of the Fortigate. With this the Fortigate presents the actual certificate to clients and won' t need to do the man-in-the-middle attack as traffic passes through.
    AtiT
    AtiTAuthor
    New Member
    September 4, 2013
    Interesting... I will try it in the LAB. Thanks!
    Terms & ConditionsAccessibility statement