Skip to main content
lalu
lalu
New Member
September 28, 2021
Question

SSL deep inspection with external certificate

  • September 28, 2021
  • 1 reply
  • 3695 views

Hi, I want to install a certificate issued by an external CA, so as to be recognized automatically by browsers.

 

1. Under System -> Certificates I created and downloaded the CSR 2. At the external CA, I created the CRT certificate. 3. I imported the CRT certificate

 

Everything seems to be installed correctly, but when I go under Security Profiles -> SSL/SSH inspections -> deep inspection, I cannot select my certificate (see image link). I see only the default Fortinet_CA_SSL certificate.

https://www.screencast.com/t/1TKXu4dRmUws

 

Why? What am I doing wrong?

 

thank you

Best regards

Luca

    1 reply

    TecnetRuss
    TecnetRuss
    Visitor III
    September 28, 2021

    You can only use a Certificate Authority (CA) certificate with deep packet inspection.  You cannot use a regular certificate.  You'll notice that CA certificates and non-CA certificates are grouped separately under System / Certificates.  It is simply not possible to purchase a 3rd party browser-trusted CA certificate that would allow your FortiGate to act as a CA and issue any domain's certificate to clients.

     

    The way deep packet inspection is typically deployed is that the FortiGate's CA certificate is installed on all DPI-protected systems.  On Windows domain systems you can do this easily with Group Policy.  With an MDM solution you can push the certificate out to managed mobile devices quite easily too.  For unmanaged devices it has to be done manually, which is why DPI is not usually used on guest networks.

     

    Russ

    NSE7

    Terms & ConditionsAccessibility statement