It is often necessary to implement a deep inspection of the Environment. In the deep inspection profile, there is always a requirement to select a certificate.

Most of the time, the certificate that is used here is simply a Local certificate which contains the private key and public key that are often installed for the SSL VPN.

However, this certificate will not be able to be used for the deep inspections. It will not even be possible to see the option to select those certificates.

The reason for this is that this is not the correct type of certificate needed for the deep inspection.

In order to use the certificate for the deep inspection the type of the certificate needs to be private CA. A private CA is the type of certificate that can issue a certificate to others. The X509v3 Basic Constraints CA: True.

The same info can be found under the details of the certificate by opening the certificate on pc before uploading it. The subject type under basic constraints should be 'CA', as shown in the following example:

To not use the Fortinet_CA_SSL certificate, it is possible to install the own Private_CA certificate for the internal network:

1. On the Domain controller, it is possible to install the Windows certificate authority. Follow the following document: Install the Certification Authority
2. After the installation, it is possible to create a certificate authority. A certificate authority has been created for this domain. 

3. Once Done, it is possible to import this certificate from the Domain controller from the Manage Computer Certificate -> Personal Certificate and select the certificate.

4. Export this certificate with the private key. It will require a password. Put the password and export this.

5.  After this, Login to FortiGate, go to the System -> Certificate, and then choose type PKCS#12. Import the certificate and use the password used for export.

6. After the import, the certificate will be visible under the Local CA Certificate.

7. Now, it is possible to use this certificate for the Deep inspection Profile.
8. If the PC is part of the Domain, the certificate warning will not be visible. For instance, in this example, the PC is part of the Domain.

9. When the Fortinet_CA_SSL certificate is used for the Deep inspection, the certificate warning is visible because that certificate is issued by FortiGate.

10. However, when the internal certificate was used for deep inspection, no warning was received because this certificate was signed by the Private CA.

11. For more information about deep inspection, refer to Deep inspection - FortiGate 7.4.0 administration guide.

Note:

Make sure to apply UTM security profiles in the matching policy for the SSL deep inspection to work and replace the web server certificate with the CA certificate in the end user machine.

If any issues are experienced, feel free to contact the TAC team.