Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
esalija
Staff
Staff

Created on ‎09-18-2024 05:47 AM

Article Id 339878

Technical Tip: How to perform multiple certificates at the SSL profile in replace mode

Description

This article describes how to enable multiple certificates at the SSL profile in replace mode and explains the priority that the certificates take.
 Scope FortiGate.
Solution

The FortiGate supports multiple certificates at a single SSL profile. 

 

Figure 1_Network_Diagram.PNG

 

  • Example configuration to add 10 Certificates to the SSL profile.

config firewall ssl-ssh-profile

set server-cert-mode
re-sign Multiple clients connecting to multiple servers.
replace Protect an SSL server.
set server-cert-mode replace

set server-cert

name Certificate list.
certificate_1
certificate_2
certificate_3
certificate_4
certificate_5
certificate_6
certificate_7
certificate_8
certificate_9
certificate_10

 

Note: if the message shows 'Server certificate replace mode cannot support category exempt', follow these steps:

 

  1.  Edit the offending SSL/SSH inspection profiles by switching from 'Protecting SSL Server' to 'Multiple Clients Connecting to multiple Servers' and then remove the FortiGuard categories from the 'Exempt from SSL inspection' list.
  2. After that, change back to 'Protecting SSL Server' and select OK.

 

config firewall ssl-ssh-profile

(ssl-ssh-profile) # edit "Multi-cert"

    edit "Multi-cert"

        config https

            set ports 443

            set status deep-inspection

            set quic inspect

        end

        config ftps

            set ports 990

            set status deep-inspection

        end

        config imaps

            set ports 993

            set status deep-inspection

        end

        config pop3s

            set ports 995

            set status deep-inspection

        end

        config smtps

            set ports 465

            set status deep-inspection

        end

        config ssh

            set ports 22

            set status disable

        end

        config dot

            set status disable

            set quic inspect

        end

set server-cert-mode replace

set server-cert "certificate_1" " certificate_2" " certificate_3" " certificate_4" " certificate_5" " certificate_6" " certificate_7" " certificate_8" " certificate_9" " certificate_10"

    next

end

 

  • For configuration for the firewall policy that uses the SSL profile, refer to the documentation.
  • FortiGate supports a maximum of 10 certificate files in a single SSL profile.
  • Upon attempting to use multi-domain certificates to serve more than 10 domains in a single SSL profile, the system will only consider the first 10 certificate files.
  • FortiGate will match the Server Name Indication (SNI) with the alternative names in these certificates during the SSL handshake.
  • If the SNI matches any of the alternative names in the certificates, FortiGate will use the corresponding certificate for the connection.
  • FortiGate will handle the SNI matching with the alternative names in the multi-domain certificates, allowing for flexibility in securing multiple domains with a single certificate.

Related document:
501
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.