Skip to main content
ObedKABO
ObedKABO
New Member
December 12, 2024
Question

SSL Inspection

  • December 12, 2024
  • 3 replies
  • 2656 views

Hi there,

 

I have a problem with my FortiGate 100F, I have deployed a web application server with a certificate from digiCert and internally everything works, the certificate is well installed, but when external users connect to it there is a problem with the certificate because FortGate uses its default certificate and there is a warning, I have also imported my certificate but when I want to fix it on the FortiGate there is an error, I need help because most of the users will be external and I need there to be no warning associated with the certificate.

 

Thanks,

3 replies

adambomb1219
SuperUser
adambomb1219
SuperUser
December 12, 2024

Do you actually want to decrypt this flow?  

    ObedKABO
    ObedKABOAuthor
    New Member
    December 12, 2024

    I imported the certificate into FortiGate, which worked fine.

    I selected it for use in https and it's working fine so far.

    However, the FGT won't let me select this certificate for use with SSL inspection. I can only select the one built into the FortiGate and none of the others installed.

    Any idea why?

    pminarik
    Staff
    pminarik
    Staff
    December 12, 2024

    Edit the SSL inspection profile and review the option "Enable SSL inspection of":

     

    2024-12-12 15_20_36-Window.png

     

    "Multiple Clients Connecting to Multiple Servers":

    • Can only choose from CA-type certificates (not something you can regularly purchase)
    • Intended for broad deep-inspection of many non-specified destinations
    • The prototypical use-case is filtering outgoing internet traffic of local users

     

    "Protecting SSL Server":

    • Can choose one of existing/imported non-CA certificates.
    • Can be applied to individual servers only (one or multiple, depending on the SAN field of the certificate, i.e. what specific domains it is valid for)
    • The prototypical use-case is applying protection on a local server for client traffic coming from the internet.

    Given your description, you most likely want an SSL inspection profile in the second mode of operation.

      sw2090
      SuperUser
      sw2090
      SuperUser
      December 13, 2024

      yes you need CA:TRUE (i.e. a CA or SubCA Certificate) for Deep packet inspection. This is because of the way this functions. DPI works man-in-the-middle, that means the FGT has to decrypt the traffic, inspect it and then re-encrypt it to pass it on to the client. It cannot do re-encryption with the original cert because it doesn't have the private key of that. Also it needs to re-encrypt traffic with a cert that contains serveral details of the original one (like Common Name or Subject Alternate Name(s)). Due to this it needs a certificate that it can user to sign a new certificate that contains the above mentioned data and then use that to re-encrypt the traffic. And this can only be done with a certificate that has CA:True. And yes like said above, you cannot buy such certificates (or you cannot afford the conditions needed) so you will have to use a self signed one. This has the consequence that in order to avoid browser warnings every client will have to have the CA/SubCA used by the Fortigate installed as trusted certificate authority.

      Terms & ConditionsAccessibility statement