FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 270767
Description This article describes what are the requirements for deep inspection and how to use a private CA for Deep inspection.
Scope FortiGate.

Oftentimes time, it is necessary to implement a deep inspection of the Environment. In the deep inspection profile, there is always a requirement to select a certificate.

Most of the time, the certificate that is used here is simply a Local certificate which contains the private key and public key that are often installed for the SSL VPN.

However, this certificate will not be able to be used for the deep inspections. It will not even be possible to see the option to select those certificates.

The reason is, that this is not the correct type of certificate needed for the deep inspection.

In order to use the certificate for the deep inspection the type of the certificate needs to be private CA. A private CA is the type of certificate that can issue a certificate to others. The X509v3 Basic Constraints CA: True.


Untitled picture.png


To not use the Fortinet_CA_SSL certificate, it is possible to install the own Private_CA certificate for the internal network:


  1. On the Domain controller, it is possible to install the Windows certificate authority. Follow the following document: Install the Certification Authority
  2. After the installation, it is possible to create a certificate authority. A certificate authority has been created for this domain. 




  1. Once Done, it is possible to import this certificate from the Domain controller from the Manage Computer Certificate -> Personal Certificate and select the certificate.



  1. Export this certificate with the private key. It will require a password. Put the password and export this.




  1.  After this, Login to FortiGate, go to the System -> Certificate, and then choose type PKCS#12. Import the certificate and use the password used for export.




  1. After the import, the certificate will be visible under the Local CA Certificate.




  1. Now, it is possible to use this certificate for the Deep inspection Profile.
  2. If the PC is part of the Domain, the certificate warning will not be visible. For instance, in this example, the PC is part of the Domain.




  1. When the Fortinet_CA_SSL certificate is used for the Deep inspection, the certificate warning is visible because that certificate is issued by FortiGate.




  1. However, when the internal certificate was used, any warning had been received because this certificate was signed by the Private CA.



  1. For more information about deep inspection, refer the following document:


If any issues are experienced, feel free to contact the TAC.


During certificate inspection of blocked websites, users may encounter security warnings regarding the validity of the presented certificates. As outlined in this article, the implementation of a private Certificate Authority (CA) effectively mitigates these warnings, ensuring a consistent and secure user experience.