Install CA certificate for ssl inspection doesn't work

helenio_sartori · ‎11-04-2021

Hello,

I'd like to use our Public Certificate (Signed by a public CA) to use in the ssl inspection profile.

I followed the instruction here https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/518006/using-a-ca-signed-certificate.

Here the situation on certificate:

But as you can see below I'm not able to select my certificate, the only I can see is the Fortinet_CA_SSL.

Why ?

Thank you in advance ...

Julien87 · ‎11-05-2021

Hello, it is not possible to use the classic PUBLIC certificate, because it must be able to decrypt and re-encrypt the content. it is a certificate issued to the certification authorities. You can use a private certificate delivered by your infrastructure pki.

On the other hand, in Fortinet equipment, by default there is a certificate which can be used for this. This certificate can be downloaded and then distributed to computers by script or gpo.

Best regards,

Julien

emnoc · ‎11-05-2021

If you certificate does not have CA:TRUE than it is not useable.

example

openssl x509 -in mycertpublic.crt -text -noout

Or open it in a browser or keystore and check the certificate details.


http://socpuppet.blogspot.com/2016/10/a-quick-and-sure-to-know-if-ssl.html

Ken Felix

PCNSE

NSE

StrongSwan