Skip to main content
newNetwork
newNetwork
New Member
January 2, 2015
Solved

SSL inspection Certificate mystery

  • January 2, 2015
  • 6 replies
  • 8925 views

is it possible to use a verisign (or any other CA) for SSL inspection(web filtering, appcontrol) , in order to get rid of annoying certificate warning on https sites when using the inbuilt fortigate CA ssl proxy certificate.

If yes what type of certificate needs to be bought , a single ssl certificate etc....

from this discussion ,  i am doubtful about the possibility. 

 

Apart from this i see no other way , by which the https certificate warning can be avoided completely. as smartphone, tabs , ipads are never part of domain so its not possible to use active directory infra to push local certificate and its a tedious task to install fortigate ssl proxy cert manually on every single device.

 

    Best answer by Bromont_FTNT

     

    If a public CA started handing out signing certificates that people could use for SSL inspection the first thing I would do is remove their root from my browser store. Certificates are about trust... how can I trust a CA that lets others do SSL inspection on any site?

    6 replies

    emnoc
    emnoc
    New Member
    January 2, 2015

    The short answer is no, this is what SSL is suppose to do, give you  or let me re-phrase " the end-user the warning " & then he/she can make the validation to proceed after being warned.

     

     

    vmartin_FTNT
    Staff
    vmartin_FTNT
    Staff
    January 6, 2015

    You can use a custom certificate for SSL inspection, instead of the default FortiGate cert. You can find instructions for how to do this here: http://cookbook.fortinet.com/preventing-certificate-warnings/#custom

    lunhas2k4
    lunhas2k4
    Explorer II
    February 7, 2015

    Hi,

     

    Which version of the fortiOS are you using. After thinkering a little bit and a couple of forums found a solution for 5.2.1 and 5.2.2. I only the certificate issue on sites that are actually being barred from use.

     

    Is that what you are looking for?

     

     

    Silver
    Silver
    New Member
    February 16, 2015

    hi all,

     

    did not really understand well i have the same problem with ssl inspection i want to use a public ca with my ssl inspection for all my guest mobile phone, ipad,  laptop etc

     

    Help

    Bromont_FTNT
    Staff
    Bromont_FTNTAnswer
    Staff
    February 17, 2015

     

    If a public CA started handing out signing certificates that people could use for SSL inspection the first thing I would do is remove their root from my browser store. Certificates are about trust... how can I trust a CA that lets others do SSL inspection on any site?

    bikash_Shaw
    bikash_Shaw
    New Member
    February 17, 2015

    Hi

    Please follow the attach document. You can disable the replacement msg. 

     

    Regards

    Bikash

    emnoc
    emnoc
    New Member
    February 17, 2015

    Exactly, it's called a chain of trust for a reason

     

     

    Terms & ConditionsAccessibility statement