Skip to main content
DavidMcQueenLPS
DavidMcQueenLPS
New Member
July 9, 2019
Question

Replace Fortigate Certificate for Explicit Proxy (6.03)

  • July 9, 2019
  • 4 replies
  • 20212 views

I found a cookbook article for 5.2 but that doesn't hold for 6.03.

 

https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-security-profiles-52/Other_Profile_Considerations/SSL%20content%20scanning%20and%20inspection.htm

 

We are trying to transition from a Squid based Man in the Middle filter system to the Fortigate.  We do not want to install the fortigate cert on all the machines, since we already have one installed and working.  Much rather make that one the signer on the fortigate.

 

 

 

    4 replies

    hubertzw
    hubertzw
    New Member
    July 10, 2019

    You can use internal certificate authority, on FGT you need to generate CSR and then issue certificate (template „Subordinate Certification Authority”)

    DavidMcQueenLPS
    DavidMcQueenLPSAuthor
    New Member
    July 10, 2019

    I have the Certificate installed and being used for SSL Deep Packet Inspection and it is working great there.  The explicit proxy does not use this one and I cannot seem to locate how, in 6.03, to point it to this cert.

     

     

    hubertzw
    hubertzw
    New Member
    July 10, 2019

    In the proxy policy you have Security Profiles, as with Firewall Policies. Set the profile with the correct cert

    DavidMcQueenLPS
    DavidMcQueenLPSAuthor
    New Member
    July 10, 2019

    Proxy Options:

     

    DavidMcQueenLPS
    DavidMcQueenLPSAuthor
    New Member
    July 10, 2019

    Web Filter:

     

    DavidMcQueenLPS
    DavidMcQueenLPSAuthor
    New Member
    July 10, 2019

    SSL/SSH Inspection Profile:

     

    DavidMcQueenLPS
    DavidMcQueenLPSAuthor
    New Member
    July 11, 2019

    So I ended up opening a support ticket for this issue.

     

    The engineer noticed something that should not be possible.  In the Proxy Policy the service was not set.  I say that this is not possible, because that is a required field.  When the engineer was changing the Logging options, it error'd on that field until it was set.

     

    So all is functioning.  Still not sure why I was getting the Fortigate's self signed cert, but problem solved.

     

     

    hubertzw
    hubertzw
    New Member
    July 11, 2019

    Thanks for update!

    JanW
    JanW
    New Member
    February 2, 2024

    I know this is an old topic, but in case somebody has the same problem and finds this article:
    The setting is under "config web-proxy global". There are two settings: 
    set ssl-cert "Fortinet_Factory"
    set ssl-ca-cert "Fortinet_CA_SSL"
    I have changed the last one and it worked as expected (FGT v7.4.2).

    Terms & ConditionsAccessibility statement