Description
This article describes the options available to handle Untrusted SSL certificate on FortiGate.
Scope
All FortiOS versions.
Solution
When FortiGate cannot successfully verify the server certificate (For example: untrusted root CA, expired, self-signed certificate), below options are available on FortiGate to handle this situation:
1) Allow -> When FortiGate detects an Untrusted SSL certificate in the Server Hello, it generates a temporary certificate signed by the built-in 'Fortinet_CA_Untrusted' certificate.
This temporary certificate is then sent to the client browser which results in the warning to the user that the site is untrusted.
The certificate used can be changed only via CLI as below:
# config firewall ssl-ssh-profile
edit <>
set caname "Fortinet_CA_SSL" --> Used when FortiGate can verify the server certificate.
set untrusted-caname "Fortinet_CA_Untrusted" --> change the certificate to one that should be used for untrusted connections.
end
end
2) Ignore -> No change in behavior as compared to a Trusted SSL certificate.
FortiGate will use the default caname 'Fortinet_CA_SSL' to create the temporary certificate.
3) Block -> FortiGate blocks the connection if the server certificate can not be verified.
