Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fortiuser
New Contributor

Root-CA Import for SSL-Inspection

Hi all,

we have enabled deep SSL-Inspection on FG100D Cluster. Everything works fine by now, except full validation of certificates presented by the remoteserver. For example, all self-signed certificates on remote-servers are accepted by Fortigate, because there ist no issuer validation (try with test on https://filippo.io/Badfish/). I found the CLI-setting "ssl-ca-list", which should solve this problem by verifying server certificates against stored CA-Cert list in Fortigate. But - how can I import ANY trusted Root-CA certs in Fortigate, like browsers have? Is it possible to import a "trusted root-CA-package" or something like that? Thank you!

1 Solution
Jeff_FTNT
Staff
Staff

FGT GUI can import ca certificate bundle file.

Normally "ssl-ca-list " is disable by default, no need to enable.You just make your browser trust  CA certificate in deep scan "ssl-ssh-profile "  of  "caname". it is common use case.

 

If "ssl-ca-list enable", it will force FGT check  full certificate chain , it will need import  Root CA certificate  into FGT.

Unless you want more check, disable "ssl-ca-list"  will good enough.Thanks.

View solution in original post

6 REPLIES 6
Shawn_W
Contributor

any update?

Jeff_FTNT
Staff
Staff

Yes, you can import CA from GUI:Certificates->CA Certificates, thanks.

Fortiuser

Jeff_FTNT wrote:

Yes, you can import CA from GUI:Certificates->CA Certificates, thanks.

Thank you. I know this option in the GUI, but how I can import multiple CAs in one step? For example, when I take a look in Firefox CA-Certs, I can see about 290 trusted Root-CAs!

Deep SSL inspection with Fortigate ist not usefull, unless I have a possibility to manage my root-CAs in a prudent way. And deep-inspection without validating the issuer of remoteserver certs (which is the default setting!) results in vulnerability for man-in-the-middle attacks and non-serious webservers. Please correct me if I am wrong...

Jeff_FTNT
Staff
Staff

FGT GUI can import ca certificate bundle file.

Normally "ssl-ca-list " is disable by default, no need to enable.You just make your browser trust  CA certificate in deep scan "ssl-ssh-profile "  of  "caname". it is common use case.

 

If "ssl-ca-list enable", it will force FGT check  full certificate chain , it will need import  Root CA certificate  into FGT.

Unless you want more check, disable "ssl-ca-list"  will good enough.Thanks.

Fortiuser

Jeff_FTNT wrote:

FGT GUI can import ca certificate bundle file.

That was the decisive tipp for me! I exported a full CA-list from Firefox, merged all .crt files in one big crt and imported this crt in Fortigate - done. I know, that I have to manage the CA-certs in Fortigate by myself now, but this is much better than nothing. Thank you Jeff!

AlexFeren
New Contributor III

Fortiuser wrote:
I know, that I have to manage the CA-certs in Fortigate by myself now...
You'd know our local CAs, but what about Public CAs? Would you have copied Roort Certificates from Windows certmgr.msc's "Trusted Root Certificate Authorities" or Firefox's Certificate store "Authorities"?