Technical Note: How to create a certifica...

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 198562

Description

In order to strengthen inspection between a FortiGate and users, certificates can be used to inspect SSL connections.

Solution

1. Create a CA with openSSL (Linux)

Edit the file /etc/ssl/openssl.cnf

dir = /root/CA
[ policy_match ]
countryName             = optional
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName = optional
commonName              = supplied
emailAddress            = optional

Look for basicConstraints and change to TRUE:

basicConstraints=CA:TRUE

Create the following folders:

cd /root
mkdir CA
chmod 700 CA
cd CA
mkdir certs private newcerts
echo 1000 > serial
touch index.txt

The certificates can now be created:

openssl req -new -x509 -days 3650 -keyout private/cakey.pem \ -out cacert.pem -config /etc/ssl/openssl.cnf

cacert.pem is the public key and should be imported into the FortiGate and the user browser.

2. Generate a Certificate Request on the FortiGate and download.

3. Sign the FortiGate certificate.

openssl ca -out test.cer -infiles /root/Downloads/ test.csr

4. Import the signed certificate (test.cer) into the FortiGate as “local certificate”.

5. Now use the imported certificate to inspect SSL connections.

6. Security certificate warnings can be avoided by installing the cacert.pem file in your browsers.

10906

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Note: How to create a certificate to use in SSL Inspection

You are leaving our website