FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
In order to strengthen inspection between a FortiGate and users, certificates can be used to inspect SSL connections.

1. Create a CA with openSSL (Linux)

Edit the file /etc/ssl/openssl.cnf
dir = /root/CA
[ policy_match ]
countryName             = optional
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
Look for basicConstraints and change to TRUE:
Create the following folders:
cd /root
mkdir CA
chmod 700 CA
cd CA
mkdir certs private newcerts
echo 1000 > serial
touch index.txt
The certificates can now be created:
openssl req -new -x509 -days 3650 -keyout private/cakey.pem \ -out cacert.pem -config /etc/ssl/openssl.cnf
cacert.pem is the public key and should be imported into the FortiGate and the user browser.

2. Generate a Certificate Request on the FortiGate and download.

3. Sign the FortiGate certificate.
openssl ca -out test.cer -infiles /root/Downloads/ test.csr
4. Import the signed certificate (test.cer) into the FortiGate as “local certificate”.

5. Now use the imported certificate to inspect SSL connections.


6. Security certificate warnings can be avoided by installing the cacert.pem file in your browsers.