|
It is possible to force a specific certificate chain on both SSL VPN and SSL/SSH Inspection in FortiGate, but the method differs slightly between them:
- Forcing a certificate Chain for SSL VPN: When configuring the SSL VPN portal, can explicitly select the certificate (which include the certificate chain) used for SSL VPN connections.
Steps:
Go to System -> Certificates -> Local Certificates and ensure the certificate includes the full chain (leaf + intermediate + root, if needed).
Go to VPN -> SSL VPN Settings.
Under Server Certificate, select the desired certificate.
The certificate must include the full chain when imported. FortiGate does not construct the chain on the fly - it uses what is imported.
-
Forcing a Certificate Chain in SSL/SSH Inspection:
For deep inspection profiles, FortiGate uses a CA certificate to re-sign the intercepted traffic. Must ensure this CA certificate is correctly chained.
Steps:
Go to System -> Certificates -> CA Certificates.
Import the intermediate and root CA properly if the inspection certificate is issued by a non-root CA.
Go to Security Profiles -> SSL/SSH Inspection.
Edit the deep inspection profile.
Under the CA Certificate, select the certificate the FortiGate has to use for re-signing.
Again, make sure the full chain is included in the CA import (not just the issuing cert) if the clients require chain validation.
|
