Description
This article describes that the certificate error is always present on HTTPS websites blocked by FortiGate when doing SSL inspection without having the FortiGate CA certificate imported.
The reason for that is, that when a secured website is accessed (for example: https://www.youtube.com), the YouTube certificate guarantees that the content of the website is safe (as it is signed by a Certificate Authority that is trusted by the browser). However, when the firewall intercepts the SSL traffic to modify the content shown at https://www.youtube.com, it will not be able to sign the modified content with the original CA, as the firewall does not have the private key of the original CA.
Therefore, the changed content (i.e. FortiGate replacement page) needs to be signed by its own CA certificate and if the browser does not trust it, instead of the replacement page, the user will see the certificate error.
Scope
FortiGate.
Solution
To remove the certificate error, there are two possibilities:
- The user will import the FortiGate CA certificate into the browser's 'Trusted Root Certification Authorities' store.
To download a FortiGate CA certificate, navigate to System -> Certificates and download 'Fortinet_CA-SSL'.
- If there is a CA certificate (including the private key) that is trusted in the network/domain (by browsers), it is possible to import it to the FortiGate and use it for the replacement messages.
The related articles below show how to import a CA certificate for use with deep inspection.
After importing the CA certificate, set the certificate on the SSL inspection profile used in the Firewall policy:
config firewall ssl-ssh-profile
edit "SSL_profile"
set caname "Custom_CA_cert"
end
Related articles:
