Skip to main content
sw2090
SuperUser
sw2090
SuperUser
February 22, 2018
Solved

SSL Inspection - Certificate not usable

  • February 22, 2018
  • 1 reply
  • 17368 views

Hi,

 

following constellation:

 

We have a FortiGate 100E running here. I created a CSR on it to have that signed by our internal CA. I then imported the certificicate to the fortigate which all worked fine. 

I selected it for to use it for https and that works fine so far. It does do https with that cert and I do not get any more Browser warning (since all our clients know our CA).

However the FGT denies me to select that cert for use with SSL Inspection. I can onyl choose the FortiNet built in one here and none of the others installed.

Does anyone have a tip why that is?

 

FGT runs FortiOS 5.4.x and our CA runs on Wind*ws btw.

FGT is not part of a HA Cluster, a FortiManager or a Fabric..just standalone.

 

Cheers

Sebastian

    Best answer by EMES

    You probably signed the certficate using IIS template or web server template. For SSL decryption it needs to be either CA or SubCA. When you sign it in your CA select the Subordinate certificate authority template. It needs to be a CA/SubCA in order to generate certificates on the fly when decrypting.

     

    Hope that helps

    1 reply

    EMES
    EMESAnswer
    New Member
    February 22, 2018

    You probably signed the certficate using IIS template or web server template. For SSL decryption it needs to be either CA or SubCA. When you sign it in your CA select the Subordinate certificate authority template. It needs to be a CA/SubCA in order to generate certificates on the fly when decrypting.

     

    Hope that helps

      emnoc
      emnoc
      New Member
      February 23, 2018

      Suggestion load the cert in  a webbrowser or  use  OpenSSL, does it say a CA true or CA?

       

      see attachment  of the line in  cert details to  look at.

       

      Ken

       

      Terms & ConditionsAccessibility statement