Description
This article describes how FortiGate products support SSL inspection. It is recommended that the CA certificate used for SSL inspection is unique to each FortiGate deployment for security reasons. This has been mentioned by the Mitre Corporation in CVE-2012-4948.
Scope
FortiGate.
Solution
To regenerate the default SSL inspection CA certificate, the following command must be executed to guarantee the uniqueness of the Fortinet_CA_SSLProxy CA certificate:
FortiGate # exec vpn certificate local generate default-ssl-ca
Once completed, it can be observed using the following commands that the default CA certificate has been regenerated:
FortiGate # config vpn certificate ca
FortiGate (local) # edit Fortinet_CA
FortiGate (Fortinet_CA_SSLProxy) # get
FortiGate (local) # edit Fortinet_CA
FortiGate (Fortinet_CA_SSLProxy) # get
name : Fortinet_CA
ca :
Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-ca2, emailAddress = support@fortinet.com
Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-ca2, emailAddress = support@fortinet.com
Valid from: 2016-06-06 20:27:39 GMT
Valid to: 2056-05-27 20:27:39 GMT
Fingerprint: 40:AF:CC:2D:08:D5:E7:51:57:FE:E3:EB:EF:73:E0:A9:0E:04:00:56:3D:6F:94:0C:5E:BE:E8:0D:D4:FF:54:05
Root CA: Yes
Version: 3
Serial Num:
00
Extensions:
Name: X509v3 Subject Key Identifier
Critical: no
Content:
A3:31:AF:A3:48:EE:A1:E2:5F:B1:F2:FD:D6:FB:41:48:50:1B:3A:75
Name: X509v3 Authority Key Identifier
Critical: no
Content:
A3:31:AF:A3:48:EE:A1:E2:5F:B1:F2:FD:D6:FB:41:48:50:1B:3A:75
Name: X509v3 Basic Constraints
Critical: yes
Content:
CA:TRUE
Name: X509v3 Key Usage
Critical: yes
Content:
Digital Signature, Certificate Sign, CRL Sign
range : global
source : factory
ssl-inspection-trusted: enable
scep-url :
est-url :
source-ip : 0.0.0.0
ca-identifier :
Another solution is to configure FortiOS to import and use the user's own CA certificate for SSL inspection. The configuration steps to create and import a CA certificate for deep packet inspection using Microsoft: Microsoft CA deep packet inspection
Technical Tip: How to import the CA certificate for full SSL inspection
The selection of the appropriate CA certificate can be performed via GUI or using the following CLI commands:
Multiple CA certificates could be configured, one per SSL/SSH inspection profile:
The selection of the appropriate CA certificate can be performed via GUI or using the following CLI commands:
Multiple CA certificates could be configured, one per SSL/SSH inspection profile:
config firewall ssl-ssh-profile
edit "web"
set caname
next
end
edit "web"
set caname
next
end
Multiple CA certificates could be configured, one per proxy options profile:
config firewall deep-inspection-options
edit "web"
set caname
next
end
edit "web"
set caname
next
end
One CA certificate is used for all inspected traffic:
config firewall ssl setting
set caname
end
set caname
end
The Fortinet_CA_SSL certificate could be deployed in browsers to be detected as a trusted certificate authority. It is exportable to a remote TFTP server using the following CLI command:
exec vpn certificate local export tftp Fortinet_CA_SSL Fortinet_CA_SSL.cer 192.168.1.1
It is also exportable from the local certificates GUI menu. If 'certificates' is not shown in the GUI, enable it under feature visibility: System -> Feature Visibility -> Certificates:
The FortiGate CA certificate used for SSL inspection can be imported into any browser using the Fortinet_CA_SSL.cer file. Upload instructions should be available in the browser help documentation.
To renew built-in Fortinet certificates, refer to this KB article: Technical Tip: Renew Certificate Expired on FortiGate
