Created on 07-13-2010 12:17 AM Edited on 06-02-2022 09:51 AM By Anonymous
Description
This article describes how to observe and troubleshoot verifying server certificate on SSL Inspection.
Solution
# diagnose debug application fnbamd -1 # diagnose debug enable Start auth_cert: groups(0): ip: cert subject: C = CA, ST = British Columbia, L = Burnaby, O = Fortinet Technologies Canada Inc., OU = Customer Support, CN = support.fortinet.com cert issuer: C = US, O = "Entrust, Inc.", OU = AND ADDITIONAL TERMS GOVERNING USE AND RELIANCE, OU = CPS CONTAINS IMPORTANT LIMITATIONS OF WARRANTIES AND LIABILITY, OU = www.entrust.net/CPS is incorporated by reference, OU = "(c) 2008 Entrust, Inc.", CN = Entrust Cert auth_cert succeed: group='', user='' |
The "auth_cert succeed" result is given at the end of this output. In this example it shows that this certificate is valid.
# diagnose debug application fnbamd -1 # diagnose debug enable Start auth_cert: groups(0): ip: cert subject: OU = Test dept, CN = test.example.com cert issuer: OU = Test dept, CN = test.example.com client cert expired quick_check_cert failed |
In this case the certificate has already expired. The FortiGate determines that this is an invalid certificate and will fail the SSL session.
# diagnose test application ssl 0 SSL Proxy Test Usage 1: Dump Memory Usage 2: Drop all connections 3: Display PID 4: Display connection stat 5: Toggle AV Bypass mode 44: Display info per connection 11: Display connection TTL list 12: Clear the SSL certificate cache 13: Clear the SSL session cache 99: Restart proxy |
$ openssl verify -CAfile Fortinet_CA.cer fmg.fortinet.com.pem fmg.fortinet.com.pem: OK |
$ openssl verify -CAfile Fortinet_CA.cer FG200B3909600933.crt FG200B3909600933.crt: /CN=FG200B3909600933/O=Fortinet Ltd. error 18 at 0 depth lookup:self signed certificate OK |
Related Articles
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.