Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
damianhlozano
New Contributor III

Use a web server certificate for deep inspection

Hello team!!!

 

Just a basic question

We have a third party certificate issued from a trusteed certificate authority, for our web server.

Is it possible to use the same certificate for doing deep inspection in outgoing fortigate policies?  Is there any requirement for this certificate to work?

What are the steps to import this certificate into a Fortigate in 7.2.1 ?

 

Thanks in advance.

Regards,

Damián

 

1 Solution
abelio
Valued Contributor


damianhlozano wrote:

Is it possible to use the same certificate for doing deep inspection in outgoing fortigate policies?  Is there any requirement for this certificate to work?

Hi

Unfortunately not, you can't use it do that (no commercial isssued certificates can´t I guess)

For deep inspection your certificate must have attribute CA=TRUE or KeyUsage=KeyCertSign

That certificate allows your FGT to issue certificates (and private keys) on the flight.

 

regards


__ Abel

View solution in original post

4 REPLIES 4
abelio
Valued Contributor


damianhlozano wrote:

Is it possible to use the same certificate for doing deep inspection in outgoing fortigate policies?  Is there any requirement for this certificate to work?

Hi

Unfortunately not, you can't use it do that (no commercial isssued certificates can´t I guess)

For deep inspection your certificate must have attribute CA=TRUE or KeyUsage=KeyCertSign

That certificate allows your FGT to issue certificates (and private keys) on the flight.

 

regards


__ Abel

kcheng
Staff
Staff

Hi @damianhlozano 

 

Just like the fact mentioned by abelio, you can't use a web server certificate for deep inspection. The process of deep inspection includes decryption and re-encryption of the packet post content scanning. Hence, it is necessary to equip the certificate with a subCA attribute. You may refer to the documents below for the explanation and steps to generate the certificate if required:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/605938/why-you-should-use-ssl-inspection

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/680736/microsoft-ca-deep-packet-inspecti...

Cheers,
Kayzie Cheng
damianhlozano
New Contributor III

Thanks for the information guys!!!

 

sw2090
Honored Contributor

that's also the reason why no commercial certs can be used. There is seemingly no commerical CA out there that would issue you a sub-ca certificate :)


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams