install CA certificate to use with SSL inspection

Forum|Forum|15 years ago
June 10, 2010
7 replies
14578 views

Hi all, I am working on this for quite some time now. Maybe you can shed some light on this. As soon as I touch one of the " s" -protocols in a protection profile (imaps, pop3s etc.) FortiOS installs a SSL proxy. Now when a client contacts an external mailserver (policy internal -> wan with this protection profile) the Fortigate sees the mailserver' s certificate and hands it down to the client BUT changes the " issuer" field to " Fortigate Inc." . This triggers a warning in the user' s mail client. Technically it uses the built-in " Fortinet_CA_SSLProxy" cert. OK, I do have an official certificate. I uploaded it and tried installing it using " conf firewall ssl setting" , " set caname mycert" but that was not possible as only the built-in cert is given as selectable. When I look at the local, uploaded certs I see that only some bear the line " CA: true" . My own cert " mycert" shows " CA: false" . Did I do something wrong while importing it? How do you fix this issue with your Fortigate?

SECCON1MC

New Member

Ede - The way that it is supposed to be configured as I recall is to import the Fortinet_CA_SSLProxy cert into your browser. Once it is trusted by your machine you will no longer receive the error message. For larger roll-outs you should be able to use GPO to get the cert into all of the machines on the network. I am trying to dig up the documentation for this and will post it in here if I can find it.

SECCON1MC

New Member

Page 18 of the admin manual - Setting up certificates to avoid client warnings - Page 18

ejhardin

New Member

You can create your own SSL CA or use the following recent article to import the Fortinet SSL Cert. http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD32404&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=6970929&stateId=0 0 6972728 [link=][/link]

ede_pfauAuthor

SuperUser

Thanks for your suggestions. But this is not the solution I am looking for, as our users (300-400) distrust the Fortinet CA shown in the cert warning. As the Fortigate has to encrypt the traffic between it and the client it needs a private key. We will never get these for all external mail servers which are in use. So at this point we can only use our own cert and private key, be it self-signed or root CA signed. If I could install our cert the client would still see a cert warning when contacting an external mail server. At least the client would see that it stems from the local firewall if I could use our own cert. The place to go is conf firewall ssl setting set caname <mycert> So far the theory. At this prompt I cannot select any cert other than " Fortinet_CA_SSLProxy" - all other imported certs don' t show up. What am I missing here? If the parameter is configurable I should be able to select an alternative but I can' t. Could anybody else try this on his machine, please? Or enlighten me on why I cannot do this...

edsouza_FTNT

Staff

You do know that the SSL proxy on the Fortigate needs to sign every server certificate with a CA certificate. Uploading just your CA certificate will not work. The Fortigate needs the private key of your CA certificate so it can sign every server certificate that it is inspecting. I do not know if you can generate a certificate request on the Fortigate, and then sign that request making it a sub-CA certificate signed by your CA certificate. Then maybe you can upload that to the FortiGate.

ede_pfauAuthor

SuperUser

will try that out and report back. Thanks.

ede_pfauAuthor

SuperUser

I was able to import a cert and its private key, and then to select it for the " set caname" setting. Viewing the cert, " extensions" , it says " CA:true" . Do I have to specify anything special when ordering a cert in order to get this parameter set?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded