DescriptionThis article dicusses how to import a signed Certificate from a Third-Party vendor onto a FortiGate.
Solution1) You can get a signed Certificate from a Third-Party CA and Import it into the Local Certificate Store in a FortiGate and apply for SSL Content Scanning on the Secured Protocol's.
2) Import the certificate to client browsers as mentioned above.
3) Disable deep scan on FortiGate unit.
To install 3rd part signed CA certificate;
Separate the Certificate File, Key File and Password from the PKCS12 file and then import it in the FortiGate unit's Local Certificate Store. This can be achieved through OpenSSL.
When using SSL content inspection (SSL Proxy), a CA certficate must be used. Please be aware that a certificate is considered as a CAcertificate if:
1)
- CA:TRUE + KeyUsage includes keyCertSign
or
- no CA extension + KeyUsage includes keyCertSign
2)
It is not considered as a CA if:
- CA:FALSE exists
So the specifics you have to provide to the company that will release the certificate are exposed in point 1.
Once the certificate is obtained import it in the Local certificate store. You need to go to set it under
# config firewall ssl setting
(setting) # set caname
At this point the browser will trust the new certificate and it won't display the "security page" anymore when you go on HTTPS sites with deep scan enabled on the FortiGate.
