Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Faulty_Male
New Contributor III

Certificate Problems with SSL/SSH Inspection

We are currently running a pair of FG100c' s in AA HA mode with multiple VDOM' s. We are currently running v5.4. We are having problems with HTTPS traffic, when we enable SSH/SSL inspection all https sites come up with a certificate error. It has been mentioned on the forums the way around this is to install the fortinet cert on every machine however this is not possible with our setup. When we are on v4.x we installed our own public cert and used this without problem however under SSL/SSH inspection there is only the option to select the inbuilt Fortigate certificate. Has anyone else had this issue and is there and fix? Any help would be great.
19 REPLIES 19
vanc
New Contributor II

If you enable deep inspection, you have to face the certificate issue. The only way FGT can inspect SSL/SSH sessions is to replace the server certificates with its own, so that it can intercept the key exchange process. You can buy properly signed certificates from well established CAs, such as VeriSign, or you can create self signed certificates. Either way, you have to install the new certificates on your PCs. If you cannot do that, you have to either let users face certificate errors, or disable the deep inspection altogether.
Faulty_Male
New Contributor III

We already have a certificate which has been installed and works correctly for the administration login (to stop the certificate error). However we do not get the option to select this certificate under the SSL/SSH Inspection section. If we could select our own certificate a suspect this would solve the issue. On v4.x we enabled our certificate globally via the CLI however there does not seem to be this option in 5.4
Faulty_Male
New Contributor III

Is there any way to do https web filtering without SSL/SSH inspection like we could on v4.x?
Dipen
New Contributor III

Hi Doesn' t work for me even on Ver 4.3.x. How were you working with HTTPS Filtering on 4.3.x. Please guide.

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
Faulty_Male
New Contributor III

Just tick the HTTPS scanning option under the web filter profile
Faulty_Male
New Contributor III

I can get this working using the fortinet certificate but when I import our own certificate there is only the fortinet certificate in the drop down box so I cannot select our own one. I have logged a ticket with support and asked for this to be raised as a bug.
Maik
New Contributor II

there are different certificates for different purposes / roles. what a certificates purpose is, is defined as " key usage" for SSL Inspection, the fortigate generates on the fly a new certificate for the website. generating new certificates is the role of a CA. to replace the Fortigate default Certificate you need to import a CA type certificate. making the adressbar " green" when you visited your fortigate admin GUI is a different key usage (Server Authentication). This certificate has been issued by a CA.
theXfactor82

Does your imported Cert even show up in the list within the GUI? Mine said it imported successfully and yet it doesn' t even show up in the list under Local Certificates.
Bromont_FTNT
Staff
Staff

I would be very surprised if a CA issued anyone a key signing certificate, and if they did I would think the major browsers would revoke that CA from the browser store. Best option for PCs in a domain environment is to issue a key signing certificate from your domain controller and use that on the Fortigate for SSL deep inspection. Domain member PCs will trust this certificate, IE and Chrome would not give warnings but Firefox still will.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors