Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Philippe_ASTIER
New Contributor

Wildcard certificate for deep SSL inspection ? How to ???

Hi all,

 

I know this has been debated many times, but still can't solve it.

 

I have a wildcard valid SSL certificate which I try to importe to my FortiGate. Of course, I have all relevant information, including private key.

 

No matter what I do, it gets imported to "Certificates" rather than "Local Certificates". I can use it as my Fortinet certificate, I can use it for VPN SSL, but I can not use it for deep inspection.

 

I'm trying different formats, but the results is always the same. Is there any valid procedure for that? 

1 Solution
emnoc
Esteemed Contributor III

Impossible, you need to deploy a certificate or the web-browser will have cert-issuer errors . If you want MiTM you are forging  certificates on the fly and the CA ( fortigate ) has to be trusted . No way around this.

 

You could also look at explicit proxy but you have to provide the proxy details to the client

 

Ken

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
5 REPLIES 5
Bromont_FTNT
Staff
Staff

Is that wildcard cert also a signing certificate? (CA:TRUE) Unlikely.... You'll need to create your own and import your root/intermediate into your workstations.

Philippe_ASTIER

Well CA:FALSE.... Damn.

 

Let's put it the other way round.

I need to do deep inspection, and can NOT deploy a certificate, as there will be many guests to which I can not deploy it.

 

Any plan for this ?

emnoc
Esteemed Contributor III

Impossible, you need to deploy a certificate or the web-browser will have cert-issuer errors . If you want MiTM you are forging  certificates on the fly and the CA ( fortigate ) has to be trusted . No way around this.

 

You could also look at explicit proxy but you have to provide the proxy details to the client

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Philippe_ASTIER

Seems totally logical. Explicit Proxy is not a bad idea at all.

 

What should be a solution would be to inspect the traffic, but pass on the original traffic to the client, without reencryption....

 

SecurityPlus

There is not a way on the FortiGate to decrypt/spect the traffic, then if the traffic passes inspection, to pass on the original traffic to the client, without reencryption as Philippe asked above is there?
Labels
Top Kudoed Authors