Skip to main content
itsd
itsd
New Member
May 17, 2022
Question

SSL Inspection Exchange online

  • May 17, 2022
  • 1 reply
  • 4909 views

So, we're having an issue with out outlook clients popping up a certificate warning and having to reconnect several times a day.  The certificate is the factory default, not the SSL certificate we have configured for deep inspection.  Fortinet support has not been able to help us and keeps trying to reinstall the SSL certificate (used for deep inspection) on the affected computers.  After looking through the logs I noticed we have SSL anomalies on some traffic to Microsoft.  It seems the certificates they are using for several of their web servers are valid with a date of over 1 year, however, fortigate responds back that the certificate is "re-signed as untrusted, certificate-status: untrusted".  I've tried using my cell phone with the same URL and it says "server certificate could not be trusted", chrome on an internal PC (after microsoft SSL exemption) now says, "NET::ERR_CERT_VALIDITY_TOO_LONG".  Which reaffirms my belief that the SSL cert is valid for too long now and is causing the error.  This would require microsoft to re-key all of these SSL certs... 

 

The certificate being used by microsoft is longer than 1  year.  Not sure if the rules regarding SSL/TLS certificates being valid for only 1 year is affecting how browsers and the fortigate see this certificate as being untrusted.

 

Why the fortigate is then using the factory default certificate for ssl inspection might be by design.  But I'm not sure on this.  The SSL error can be reproduced outside and inside my network, so I don't think its a fortigate issue.  I've exempted microsoft sites from being SSL inspection, and i'll see if I get the outlook popup again.

    1 reply

    metz_FTNT
    Staff
    metz_FTNT
    Staff
    May 18, 2022

    Hello,

     

    By default, with SSL deep-inspection when FGT fails to  authenticate the server certificate (i.e. untrusted root CA, expired, self-signed certificate)  it will resign the certificate with "Fortinet_CA_Untrusted".  In CLI you can configure it as follows:
    config firewall ssl-ssh-profile

    edit <profile_name>

    set untrusted-caname "Fortinet_CA_Untrusted"  ----> You can select different cert here

    end

     

    based on the firmware version, there are a couple of additional settings on what to do when untrusted cert is received, for example in 7.0.5:
    config firewall ssl-ssh-profile
       edit "test"
           config https
               set ports 443
               set status deep-inspection
               set expired-server-cert block
               set revoked-server-cert block
               set untrusted-server-cert allow
               set cert-validation-timeout allow
               set cert-validation-failure block


    itsd
    itsdAuthor
    New Member
    May 19, 2022

    Thanks for the information.  I made those changes above and we still get the error.  I even exempted the sites and we still got the error.  Fortinet support said the problem may have to do with the WAD crashes on signal 11 unresolved issue on 7.05.  It would still block the sites after the crash even though exempted.  I did a work around and removed SSL deep inspection for all Microsoft sites.  So far so good.  We'll see if that narrows the problem down.  If so, then upgrading to 7.2 will fix the numerous WAD problems in version 7.

    Terms & ConditionsAccessibility statement