Description
This article describes how to use a custom certificate for FortiGate block pages.
Scope
FortiGate.
Solution
It is often possible to see a firewall giving a block page. However, the user machine does not show it, and it works after installing the firewall certificate in the user machine's browser.
In a scenario where the user does not want to install the firewall certificate, but there is the internal CA whose cert is already installed in the user machines, follow the steps below:
- Generate a CSR from the firewall, following the below from GUI:
System -> Certificates -> Create/Import -> Generate CSR.
- Certificate Name: Mention as per the user standard.
- ID Type: Define the firewall IP or Domain, in case of HA, try to add the secondary firewall IP or FDN in the Subject Alternative Name.
- Define the rest as per user's requirement
- Then select 'OK'.
Once the CSR is generated, get it signed with the internal CA.
Note:
When it is signed with the CA, make sure the certificate has the below Extensions:
- CA: TRUE
Ideally, public CAs do not give this extension to certificates, if there is having internal CA, the CA team should be able to sign it with this extension and share the certificate.
Now, import the certificate to the firewall using the related document:
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/825073/procure-and-import-a-signed-ssl-....
In the above, refer 'Import the signed certificate into your FortiGate' section to import the certificate.
Note:
Make sure to import the root (and chain) certificate which signed the firewall certificate into the firewall.
- Once the certificate is imported, it is possible to go to Security Profiles -> SSL/SSH Inspection-> Create New, under the CA certificate, call the newly imported certificate.
- Then, call the profile in the desired policy.
Below is the certificate example used in the lab:
Below is the certificate profile configuration:
config firewall ssl-ssh-profile
edit "Clone of certificate-inspection"
set comment "Read-only SSL handshake inspection profile."
config ssl
set inspect-all certificate-inspection
end
config https
end
config ftps
end
config imaps
end
config pop3s
end
config smtps
end
config ssh
set ports 22
set status disable
end
config dot
set status disable
end
set caname "FGT81E4Q17-----2" <-----
next
end
In this example 'Clone of certificate-inspection is the profile in the policy:
config firewall policy
edit 1
set name "TEST"
set uuid ce96640a-d602-51ed-78ca-f6004762760a
set srcintf "lan" "LB"
set dstintf "wan1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "Clone of certificate-inspection" <-----
set webfilter-profile "Abc.com"
set logtraffic all
set nat enable
next
end
Note:
Be informed that the root certificate which signed the firewall certificate is installed in the user machine, in this case, it is already installed.
Below is the replacement message certificate from the firewall, and in the back, we can see the replacement message is seen from the firewall:
Below is the certificate details:
Now, when the default certificate inspection profile is called whose certificate is not installed in the user machine browser, below is the error visible:
