Skip to main content
Fortiuser
Fortiuser
New Member
March 2, 2015
Solved

Root-CA Import for SSL-Inspection

  • March 2, 2015
  • 3 replies
  • 20392 views

Hi all,

we have enabled deep SSL-Inspection on FG100D Cluster. Everything works fine by now, except full validation of certificates presented by the remoteserver. For example, all self-signed certificates on remote-servers are accepted by Fortigate, because there ist no issuer validation (try with test on https://filippo.io/Badfish/). I found the CLI-setting "ssl-ca-list", which should solve this problem by verifying server certificates against stored CA-Cert list in Fortigate. But - how can I import ANY trusted Root-CA certs in Fortigate, like browsers have? Is it possible to import a "trusted root-CA-package" or something like that? Thank you!

Best answer by Jeff_FTNT

FGT GUI can import ca certificate bundle file.

Normally "ssl-ca-list " is disable by default, no need to enable.You just make your browser trust  CA certificate in deep scan "ssl-ssh-profile "  of  "caname". it is common use case.

 

If "ssl-ca-list enable", it will force FGT check  full certificate chain , it will need import  Root CA certificate  into FGT.

Unless you want more check, disable "ssl-ca-list"  will good enough.Thanks.

3 replies

Shawn_W
Shawn_W
New Member
March 17, 2015

any update?

Jeff_FTNT
Staff
Jeff_FTNT
Staff
March 17, 2015

Yes, you can import CA from GUI:Certificates->CA Certificates, thanks.

Fortiuser
FortiuserAuthor
New Member
March 18, 2015

Jeff_FTNT wrote:

Yes, you can import CA from GUI:Certificates->CA Certificates, thanks.

Thank you. I know this option in the GUI, but how I can import multiple CAs in one step? For example, when I take a look in Firefox CA-Certs, I can see about 290 trusted Root-CAs!

Deep SSL inspection with Fortigate ist not usefull, unless I have a possibility to manage my root-CAs in a prudent way. And deep-inspection without validating the issuer of remoteserver certs (which is the default setting!) results in vulnerability for man-in-the-middle attacks and non-serious webservers. Please correct me if I am wrong...

Jeff_FTNT
Staff
Jeff_FTNTAnswer
Staff
March 18, 2015

FGT GUI can import ca certificate bundle file.

Normally "ssl-ca-list " is disable by default, no need to enable.You just make your browser trust  CA certificate in deep scan "ssl-ssh-profile "  of  "caname". it is common use case.

 

If "ssl-ca-list enable", it will force FGT check  full certificate chain , it will need import  Root CA certificate  into FGT.

Unless you want more check, disable "ssl-ca-list"  will good enough.Thanks.

Fortiuser
FortiuserAuthor
New Member
March 24, 2015

Jeff_FTNT wrote:

FGT GUI can import ca certificate bundle file.

That was the decisive tipp for me! I exported a full CA-list from Firefox, merged all .crt files in one big crt and imported this crt in Fortigate - done. I know, that I have to manage the CA-certs in Fortigate by myself now, but this is much better than nothing. Thank you Jeff!

AlexFeren
AlexFeren
New Member
November 26, 2015

Fortiuser wrote:
I know, that I have to manage the CA-certs in Fortigate by myself now...
You'd know our local CAs, but what about Public CAs? Would you have copied Roort Certificates from Windows certmgr.msc's "Trusted Root Certificate Authorities" or Firefox's Certificate store "Authorities"?

Terms & ConditionsAccessibility statement