Skip to main content
sanu
sanu
New Member
November 23, 2017
Question

SSL Inspection error _ Mobile Devices

  • November 23, 2017
  • 1 reply
  • 24524 views

Dear Friends,

 

I need your kind attention on a small problem and need your valuable suggestions.

 

I have enabled SSL inspection in my Fortigate policy which leads me to an certificate error in the Browser which i overcome by installing a Fortigate Certificate in the computer Browser like Mozilla / Chrome / IE/ etc , but what will i do with the Mobile devices like Android /Iphones where i have no option to manually install the Certificate.

 

Please do revert ASAP ... TqVM

 

 

Regards,

SANU

    1 reply

    packetpusher
    packetpusher
    New Member
    November 24, 2017
    Great question! I've been thinking how to address that same issue by utilizing MDM. So far I haven't found a cost effective way to materialize my goal.
    emnoc
    emnoc
    New Member
    November 26, 2017

    Yes you can manage CA trust-store on most  mobile devices.

     

    SecurityPlus
    SecurityPlus
    Explorer III
    November 26, 2017
    Do Apple and Android mobile devices respect commercially signed certificates as desktop and laptop browsers do?
    packetpusher
    packetpusher
    New Member
    November 26, 2017

    In addition, how to install SSL cert onto Smart TV?

    emnoc
    emnoc
    New Member
    November 26, 2017

    Do Apple and Android mobile devices respect commercially signed certificates as desktop and laptop browsers do?

     

    yes the  cert-storeholds any certifcate  for rootCAs  ( self signed, commercial, pre-canned factory, etc....)

     

    Ken

     

    SecurityPlus
    SecurityPlus
    Explorer III
    November 28, 2017
    If the firewall has a commercial certificate (instead of default FortiGate or self signed certificate) does this eliminate the need to install the certificate in the mobile browser?
    emnoc
    emnoc
    New Member
    November 29, 2017

    Depends but if the CA intermediates are installed in that mobile-device and trust than yes this would work. Keep in mind like  9k CA exist  but only 200/1K are installed in any  give OSes/devices  CTLs. Keep in mind the  SSL inspection  is not a end-server certificate.

     

    So if it's a well know CA than  you should be  good. I hope that helps.

     

    SecurityPlus
    SecurityPlus
    Explorer III
    November 29, 2017
    Thanks
    emnoc
    emnoc
    New Member
    November 29, 2017

    Keep this in mind if you  go with a commercial certificate for the MiTM ssl-inspection, requires more effort on the end-users to acquire this certificate.

     

    If your think about it, your acting  like CAintermediate and dynamic resigning or "forging" ca-chain and issuer. So most CAs require more from you when they issue you a  Certificate sign off the intermediate-chain.  It's not like you  can goto  godaddy or comodo and ask give me my own-rootintermediate  certificate cause I want to do SSL-decryption ;)

     

     

    SecurityPlus
    SecurityPlus
    Explorer III
    December 1, 2017

    When you say more effort for the end-users, are you referring to the every 12, 24, 36, etc. month renewal of the certificate. Would like to do deep packet inspection without having the user get a certificate warning and without having to add certificated to every user machine individually. Not all organizations are using Active Directory so this is not often an option.

    Terms & ConditionsAccessibility statement