Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rtanagras
Staff & Editor
Staff & Editor

Created on ‎01-14-2025 10:44 PM

Article Id 370194

Technical Tip: Limitations of Let's Encrypt Certificates for SSL/TLS Inspection on FortiGate

Description This article describes the limitations of using Let's Encrypt certificates for SSL/TLS inspection on FortiGates.
Scope FortiGate.
Solution

FortiGate is capable of generating Let's Encrypt certificates for securing web applications. However, they are not suitable for certificate inspection, deep packet inspection, or SSL/TLS decryption.

 

This is because Let's Encrypt certificates are server certificates, not CA certificates, and thus cannot perform the decryption and re-encryption required for SSL/TLS inspection. A CA certificate with Basic Constraints set to TRUE is needed for this function, typically achieved with a self-signed certificate generated from tools like Windows AD CS, XCA, or OpenSSL.

 

2025-01-15 08 06 19.jpg

 

Vendors like GoDaddy, DigiCert, GeoTrust, GlobalSign, etc., do not provide such certificates, as they could impose a security risk.

 

774
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.