Description

This article describes how to use a custom certificate for FortiGate block pages.

Scope

FortiGate.

Solution

It is often possible to see a firewall giving a block page. However, the user machine does not show it, and it works after installing the firewall certificate in the user machine's browser.

In a scenario where the user does not want to install the firewall certificate, but there is the internal CA whose cert is already installed in the user machines, follow the steps below:

1. Generate a CSR from the firewall, following the below from GUI:
   System -> Certificates -> Create/Import -> Generate CSR.

• Certificate Name: Mention as per the user standard.
• ID Type: Define the firewall IP or Domain, in case of HA, try to add the secondary firewall IP or FDN in the Subject Alternative Name.
• Define the rest as per user's requirement
• Then select 'OK'.

Once the CSR is generated,  get it signed with the internal CA.

Note:

When it is signed with the CA, make sure the certificate has the below Extensions:

• CA: TRUE

Ideally, public CAs do not give this extension to certificates, if there is having internal CA, the CA team should be able to sign it with this extension and share the certificate.

Now, import the certificate to the firewall using the related document:
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/825073/procure-and-import-a-signed-ssl-....

In the above, refer 'Import the signed certificate into your FortiGate'  section to import the certificate.

Note:

Make sure to import the root (and chain) certificate which signed the firewall certificate into the firewall.

• Once the certificate is imported, it is possible to go to Security Profiles -> SSL/SSH Inspection-> Create New, under the CA certificate, call the newly imported certificate.
• Then, call the profile in the desired policy.

Below is the certificate example used in the lab:

Below is the certificate profile configuration:

config firewall ssl-ssh-profile
    edit "Clone of certificate-inspection"
        set comment "Read-only SSL handshake inspection profile."
            config ssl
                set inspect-all certificate-inspection
            end

config https
end

config ftps
end

config imaps
end

config pop3s
end

config smtps
end

config ssh
    set ports 22
    set status disable
end

config dot
    set status disable
end

    set caname "FGT81E4Q17-----2"  <-----
next
end

In this example 'Clone of certificate-inspection is the profile in the policy:

config firewall policy
    edit 1
        set name "TEST"
        set uuid ce96640a-d602-51ed-78ca-f6004762760a
        set srcintf "lan" "LB"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "Clone of certificate-inspection"  <-----
        set webfilter-profile "Abc.com"
        set logtraffic all
        set nat enable
    next
end

Note:

Be informed that the root certificate which signed the firewall certificate is installed in the user machine, in this case, it is already installed.

Below is the replacement message certificate from the firewall, and in the back, we can see the replacement message is seen from the firewall:

Below is the certificate details:

Now, when the default certificate inspection profile is called whose certificate is not installed in the user machine browser, below is the error visible: