FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
onunez
Staff
Staff
Article Id 193274

Description

 
This article describes the general process of downloading a Certificate Authority (CA) certificate from FortiGate and installing it on an Android smartphone client. This process would need to be done if FortiGate was performing SSL Deep Inspection on the Android device's web traffic.
 
For example, the Android device might connect to a wireless network with the FortiGate acting as the default gateway to the Internet. If FortiGate is performing Web Filtering with SSL Deep inspection, then the Android client will see certificates for their intended websites that are signed by FortiGate's CA certificate.
 
However, the CA certificate presented by FortiGate is unlikely to be automatically trusted by the Android client, and so the web browser on the Android client will show an SSL/TLS warning to the user (e.g. an error stating 'Untrusted security certificate').

Scope
 
FortiGate, Android smartphones.


Solution

 

It is important to establish that this is expected behavior. If any TLS client (e.g. Windows, Android, iOS, etc.) is presented with a certificate signed by a Certificate Authority that it does not recognize, it will issue a warning to the user. To stop these warnings from being issued, the Android client must have the CA certificate installed in its certificate store so that it recognizes the CA as a trusted root certificate authority.

 

With that in mind, the first step is to download the CA certificate used by FortiGate as a file, then the next step is to install this certificate file to the Android smartphone:

 

Downloading the CA Certificate from FortiGate using the Web GUI.
 
In the FortiGate web GUI, download the CA certificate from one of two places:
 
Option 1: Download from the SSL Deep Inspection profile configuration page.
 
  1. Go to Security Profiles -> SSL/SSH Inspection, then locate and edit the SSL Deep Inspection profile that has been assigned to the Firewall Policies.
  2. In the configuration page for the SSL profile, locate the SSL Inspection Options section, then the CA certificate line.
  3. Select the Download button to download the CA certificate specified for that SSL profile.

CertificateDownload_SSLProfile.png

 

Option 2: Download from the Certificates page directly

 

  1. If knowing the name of the CA certificate on the FortiGate then go to System -> Certificates and download the certificate directly.
  2. Select the CA certificate used for the SSL Deep Inspection profile, then select the Download button in the top navigation bar.

CertificateDownload_SystemCertificate.png

 

In either case, download the CA certificate as a .cer file to the local workstation (or even directly to the Android smartphone, if having administrative access to the FortiGate from the smartphone).
 
Downloading the CA Certificate from FortiGate using the CLI.
 
  1. Open the FortiGate CLI (either in the Web GUI or via SSH) and run the following command:
 
show full vpn certificate local <name of CA certificate>.
 
  1. Locate the set certificate option in the output, then highlight the entire contents (i.e. everything within the quotes but not including the quotation marks themselves). The contents should start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
  2. Copy these contents and paste them into the desired text editor, then save the file with a .cer file extension (make sure that the text editor does not try to append a different file extension on the file).
     
     
Install CA Certificate to Android Smartphone.

To complete the installation, the certificate must be added to the device's security credentials. This process may differ depending on the manufacturer of the smartphone, so check online for instructions relevant to the smartphone manufacturer and Android version. For reference, the following steps will use a Google Pixel 6a running Android 14, and it is assumed that the .cer certificate file is already present on the Android device.
 
  1. Open the smartphone's Settings app, then navigate to Security & Privacy -> More security settings -> Encryption & credentials (under the Security sub-heading).

Android_CA_Cert_Install_01.png

Android_CA_Cert_Install_02.png Android_CA_Cert_Install_03.png Android_CA_Cert_Install_04.png
 
  1. Next, select Install a certificate -> CA certificateNote that it is adding a CA certificate in this case to prevent further TLS errors when SSL Deep Inspection is being performed by the FortiGate.
     
  2. A warning message may be presented to explain the possible security concerns of adding a CA certificate. Review the warning, then select Install anyway. If necessary, provide the credentials to the phone to proceed. 
     
  3. Locate the certificate file in the smartphone's file browser and tap on it. The certificate should install itself in the phone's trusted CA store.
     
  4. To verify, select Trusted Credentials on the Encryption & credentials page, then select the User button. The FortiGate's CA certificate should displayed, which signifies that the FortiGate CA certificate has been successfully installed on the Android device.
     
    Android_CA_Cert_Install_05.png Android_CA_Cert_Install_06.png Android_CA_Cert_Install_07.png Android_CA_Cert_Install_08.png
     
Additional Reading: