Skip to main content
fcb
fcb
Visitor III
February 14, 2019
Question

SSL Inspection - 50 firewalls - one cert?

  • February 14, 2019
  • 1 reply
  • 3758 views

We have an Active Directory Cert Server that has issued me a Subordinate CA certificate for SSL inspection - this works great on our main edge firewall(s) for SSL Inspection, even deep inspection.

 

My question is can I use that same certificate across the board to all our firewalls so that each Fortigate doesn't have to be issued its own CA certificate from our internal cert server? It's very cumbersome to get each of those issued and then each of those imported into the local PC's trusted cert store so that they doon't get an error during SSL inspection.

 

Any advice appreciated - We also have a FortiAuthenticator that I have read can also act as a CA so if that's a better move I'm all ears

 

 

    1 reply

    emnoc
    emnoc
    New Member
    February 14, 2019

    Yes and that's about normal. We use one  privateCA certificate and it ease of management. Just make sure you trust the certificate for your applications.

     

    if you stroke a unique certificate AND for each Firewall ( 50+ ) , you will have to figure out a way to deploy it to the end-user. That would be a nightmare ;)

     

    Now if you have a business requirement for a specific need, than yes craft a unique cert for that business-dept.

     

    Ken Felix

     

    fcb
    fcbAuthor
    Visitor III
    February 14, 2019

    appreciate the reply.... can't think of a use case where we'd need different certs for different departments.

     

    So, I'm thinking I take the existing cert I am using on the edge firewall and manipulate that with something like OpenSSL so I can get private key and the like or do I need to even do that? Can I just download this cert from the edge and upload it to the others and it work? I think the answer to that is no because w/o generating a new CSR the other firewalls will not allow this cert to import to them, right? I guess that's what we're missing here. How do I take this existing certificate (the one doing SSL inspection) and apply it to other devices.

     

    Thanks again

    emnoc
    emnoc
    New Member
    February 14, 2019

    Download it and upload it to the  fortigate. Make a pkcs12  and import the  file into  fortigate and apply that in your ssl-inspection.

     

    Since the existing  clients ( hopefully ) has the  ca-trust-root installed or deploy, nothing has to change on the client-side

     

     

     

    Ken Felix

    Terms & ConditionsAccessibility statement