Created on 07-08-2010 05:54 PM Edited on 06-09-2022 03:16 PM By Anonymous
Description
This articles describes the certificate signing process when the FortiGate is configured for SSL inspection.
For additional details about SSL inspection, please consult the "UTM Guide FortiOS™ Handbook"
Please find the Japanese version in the attachment.
.
When a client accesses an SSL server through a FortiGate which has CP6 and is SSL Inspection (Deep scan) enabled, the FortiGate proxies the SSL connection between the client and the server.
The FortiGate receives the Original Server Certificate from the server, and will then sign it with its CA Certificate (Fortinet_CA or another). The Issuer of the Signed Server Certificate will be changed at this time. Finally the client will receive the Signed Server Certificate from FortiGate.
The diagram below illustrates this process.
The Certificates example below show the changes operated by the FortiGate :
1- Original Server Certificate (example we would get from an SSL server https://support.oventechnologiesinc.com)
Certificate: Data: Version: 3 (0x2) Serial Number: 1208893255 (0x480e3f47) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Entrust, Inc., OU=AND ADDITIONAL TERMS GOVERNING USE AND RELIANCE, OU=CPS CONTAINS IMPORTANT LIMITATIONS OF WARRANTIES AND LIABILITY, OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2008 Entrust, Inc., CN=Entrust Certification Authority - L1B Validity Not Before: Nov 26 20:51:26 2009 GMT Not After : Nov 23 21:17:27 2012 GMT Subject: C=CA, ST=Alberta , L=Edmonton, O=Oven Technologies Canada Inc., OU=Customer Support, CN=support.oventechnologiesinc.com X509v3 extensions: X509v3 Basic Constraints: CA:FALS |
Certificate Signed Server Certificate signed by the FortiGate itself and sent to the Client :
Certificate: Data: Version: 3 (0x2) Serial Number: 4c:24:30:7e:00:00:00:00 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=FortiGate CA/emailAddress=support@fortinet.com Validity Not Before: Nov 26 20:51:26 2009 GMT Not After : Nov 23 21:17:27 2012 GMT Subject: C=CA, ST=Alberta , L=Edmonton, O=Oven Technologies Canada Inc., OU=Customer Support, CN=support.oventechnologiesinc.com |
* This Issuer was changed by FortiGate.
...or an example where the FortiGate sends a self-signed CA certificate (Issuer and Subject are same) with the built-in Fortinet_CA :
Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support/emailAddress=support@fortinet.com Validity Not Before: Apr 9 01:25:49 2000 GMT Not After : May 24 01:25:49 2020 GMT Subject: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support/emailAddress=support@fortinet.com Subject Public Key Info: Public Key Algorithm: rsaEncryption X509v3 extensions: X509v3 Basic Constraints: CA:TRUE |
When the FortiGate receives the Original Server Certificate from SSL server, it verifies :
- the expiry date ; if the certificate is expired it is consider as invalid certificate and the SSL session will fail.
- if the CN (Common Name) and the site name (URL) are the same ; a mismatch will consider the certificate as invalid but the SSL session won't fail.
If the FortiGate should ignore invalid certificates, enable allow-invalid-server-cert option under :
config firewall profile-protocol-options edit <name_str> config https (or imaps or pop3s) set options allow-invalid-server-cert ... end end |
Scope
FortiOS 4.0 and above
Solution
Related Articles
Technical Tip: How to enable Deep Content Inspection
Troubleshooting Tip : Verifying server certificate on SSL Inspection
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.