SSL-DPI FortiOS 5.4.1 - CA Issue

Forum|Forum|9 years ago
September 14, 2016
1 reply
14507 views

I'm having a problem where my FGT is injecting the "Fortinet Untrusted CA cert" instead of my Custom CA when inspecting traffic to certain websites. Anyone else running into this problem? After a very long call with TAC I think we have this issue nailed down to a bug with 5.4.1 and the introduction of the "Fortinet Untrusted CA Cert".

Camshaft007Author

New Member

So, I feel like I should respond to this as we (TAC and I) were able to figure out what was going what happened. The "untrusted CA certificate" is a new feature in version 5.4.x. If there is an issue with the certificate chain, the Fortigate will use the "Untrusted CA certificate" by default for SSL inspection.

Now this leaves you 2 options.. 1.) Deploy the "Untrusted CA Certificate" all over your environment.... no thank you.. 2.) Set the the "untrusted CA Cert" to your "Trusted CA Certificate" you're using for SSL-DPI.

Personally I went with option 2, else you will be making "exceptions" for every single broken Certificate Chain your users come in contact with (form this number has only been 2 but I anticipate more). Even if the site/url is malicous, the encrypted traffic will still be inspected and hopefully the FGT will keep out the bad stuff.

clarkg

New Member

How do you set the untrusted CA cert to your trusted cert?

emnoc

New Member

How about replacing the Untrustcert? You should do that by default

take a look at the following under ssl and certtificate

( defaults )

set caname "Fortinet_CA_SSLProxy"

set untrusted-caname "Fortinet_CA_Untrusted"

You can import your trusted cert, and replace the ssl inspection cert FWIW

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded