Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ametkola
Staff
Staff

Created on ‎04-11-2023 05:38 AM Edited on ‎06-17-2025 09:33 PM By Community Manager

Article Id 251252

Technical Tip: Add a new certificate to SSL/SSH inspection profile

Description

 

This article describes how to add a new certificate to SSL/SSH inspection profile.

 

If it is impossible to select the certificate in the SSL/SSH inspection, it can be for two reasons:

  1. Either the certificate is not imported in the correct way.
  2. Or the certificate is not CA=True as this is the requirement for Certificate inspection.

 

Solution

 

To import the certificate go to System -> Certificate -> Import -> Local certificate.

Then select certificate if having a separate public and private key, or select PKCS12 if having a '.pfx' bundle.

 

Then go to System -> Certificate and check if CA=True is there or not.

 

CA_CERT.JPG

 

The same info can be found under the details of the certificate by opening the certificate on pc before uploading it. The subject type under basic constraints should be 'CA', as shown in the following example:

 

Screenshot 2025-06-13 092748.jpg

 

  • FortiGate must act as a CA in order for it to perform full SSL inspection. The internal CA must generate an SSL private key and certificate each time an internal user connects to an external SSL server.
  •  FortiGate acts as a proxy web server. For FortiGate to act in these roles, its CA

The certificate must have the basic constraints extension set to CA=True and the value of the keyUsage extension set to keyCertSign.

 

  • The CA=True value identifies the certificate as a CA certificate. The keyUsage=keyCertSign value indicates that the certificate corresponding private key is permitted to sign certificates.
  •  If the connection request is outbound, select the option 'Multiple Clients Connecting to Multiple Servers'. Then, it is necessary to select the CA certificate that will be used to sign the new certificates.

 

  1.  On the FortiGate GUI, select Security Profiles -> SSL/SSH Inspection.
  2.  Select Create New to create a new SSL/SSH inspection profile.
  3.  Select Multiple Clients Connecting to Multiple Servers, and select SSL Certificate Inspection.

 

Related documents:

Technical Tip: How to import an SSL certificate as a local certificate

Import a certificate
Technical Tip: Installing Private CA for Deep inspection

9274
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.