Description
This article describes that the certificate error is always present on HTTPS websites blocked by FortiGate when doing SSL inspection without having the FortiGate CA certificate imported.
The reason for that is, that when a secured website is accessed (f.e. https://www.youtube.com) the YouTube certificate guarantees that the content of the website is safe (as it is signed by a Certificate Authority that is trusted by the browser). However, when the firewall intercepts the SSL traffic to modify the content shown at https://www.youtube.com it will not be able to sign the modified content with the original CA as the firewall does not have a private key of the original CA.
Therefore, the changed content (i.e. FortiGate replacement page) needs to be signed by its own CA certificate and if the browser does not trust it, instead of the replacement page, the user will see the certificate error.
Solution
To remove the certificate error, there are two possibilities:
- The user will import the FortiGate CA certificate into the browser's 'Trusted Root Certification Authorities' store.
- If there is a CA certificate (including the private key) that is trusted in the network/domain (by browsers), it is possible to import it to the FortiGate and use it for the replacement messages.
The related articles below show how to import the CA certificate.
After the import to utilize this certificate for replacement page signing:
config user setting
set auth-ca-cert <your_CA>
end
Related Articles:
Technical Tip: How to import the CA certificate for full SSL inspection
Technical Tip: Installing Private CA for Deep inspection
