| Description | This article describes the focus on SSL Full Inspection in FortiProxy with Microsoft CA. |
| Scope |
The purpose of this article is to provide the steps in order to request a certificate from an Internal Microsoft Certificate Authority and import it appropriately in a FortiProxy for further use in SSL Full Interception.
This is for outbound SSL deep inspection:
Client Machine -> FortiProxy -> Internet |
| Solution |
1) Go to System -> Certificates and select '+Generate' which will open a 'Generate Certificate Signing Request'.
Create a CSR to be signed with Microsoft CA with 'Subordinate Certification Authority' template.
Note. Make sure to specify IP address from FortiProxy in IP in normal format and SAN as IP:10.176.2.91 If 'Domain Name' is used, specify same FQDN in 'Subject Alternative Name' in correct format 'DNS:FQDN' for example:
DNS:FortiProxy.domain.local
2) The CSR created and it will show in Certificate view and with 'Pending' status. Download the CSR to the location that can sign with Microsoft CA.
3) Use Certreq.exe in Windows 2016 CA to signed the FortiProxy CSR and also enroll the same in Web UI e.g. http://server/certsrv
# C:\>certreq -submit -attrib "CertificateTemplate:SubCA" FortiProxy.csr Active Directory Enrollment Policy {85D8B4CE-605E-42C9-A91B-F980E1E5AB50} ldap: RequestId: 24 RequestId: "24"
Certificate retrieved(Issued)
Note. The Certification Authority List will then be prompted. Select the CA then proceed to save the signed *.cer. As an example, save as SubCA_FortiProxy.cer
4) Go back to the FortiProxy UI, System > Certificate -> Import > Certificate -> Import Certificate and select upload.
Select the SubCA_FortiProxy.cer to upload. Once done, refresh the Web UI, The update will be as below.
5) Go to WebUI, Security Profiles > SSL/SSH Inspection > edit 'custom-deep-inspection' . The FortiProxy certificate is shown and can be selected.
Note. Remember to download the certificate and import to user machine browser or Trusted Root Certificate Authorities.
6) If certificate shown 'The issuer of this certificate could not be found' while accessing any https secured websites. This normally happens to standalone machine or without PKI infrastructure.
To solve the issuer of this certificate could not be found, it needs to export Root Certificate Authority Certificate and imported it to Windows machine browser or Trusted Root Certificate Authorities.
7) Once CA certificate added to Trusted Root Certificate Authorities. The https secure websites displays properly and certificate shown 'The certificate is OK'.
Refer to: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/export-root-certification-auth... - Export Root Certificate Authority Certificate
# certutil -ca.cert ca_name.cer
Note. This guideline is based on Windows 2016 Enterprise CA Server and tested with FortiProxy 2.x and 7.0.x. It also work for FortiGate Firewall for outbound SSL deep inspection. The certificate cannot be purchased signed by a public CA (GoDaddy, Verisign, DigiCert, etc). Refer to https://kb.fortinet.com/kb/documentLink.do?externalID=FD38641
|
