Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Faulty_Male
New Contributor III

Certificate Problems with SSL/SSH Inspection

We are currently running a pair of FG100c' s in AA HA mode with multiple VDOM' s. We are currently running v5.4. We are having problems with HTTPS traffic, when we enable SSH/SSL inspection all https sites come up with a certificate error. It has been mentioned on the forums the way around this is to install the fortinet cert on every machine however this is not possible with our setup. When we are on v4.x we installed our own public cert and used this without problem however under SSL/SSH inspection there is only the option to select the inbuilt Fortigate certificate. Has anyone else had this issue and is there and fix? Any help would be great.
19 REPLIES 19
Bromont_FTNT
Staff
Staff

Yes the certificate should show up under local certificates... and if it' s a key signing cert then you should be able to choose it as the CA certificate under the SSL inspection options
theXfactor82

Has Fortinet gotten back to you on the issue with not being able to select it within the SSL inspection options?
Bromont_FTNT
Staff
Staff

If the certificate you import is a server certificate then it won' t show up in the SSL inspection options... You must use a key signing certificate, look at the extensions and see if CA:TRUE or cert signing is present.
pchechani_FTNT

Until your certificate don' t have the extensions like below: It will not show up in SSL/SSH list Extension Name: X509v3 Basic Constraints Critical: no Content: CA:TRUE ==> this is required when you order or create your own certificate.
-p
theXfactor82

CA:TRUE on my cert. It' s working on our Production 1240B running 4.3.12 but I' m trying to put in on a Dev Lab 100D running 5.0.4 and it won' t show up.
Bromont_FTNT
Staff
Staff

Xfactor... when you upload it says it uploaded successfully but then do you see in in the local certificates? System ----> Certificates ----> Local Certificates
theXfactor82

Bromont...correct. It says it uploaded successfully but is nowhere to be found. I copied the cert off my domain controller in a .p12 format. After using OpenSSL I have two files. One is a .crt the other .key
theXfactor82

Also wanted to point out that these two files uploaded successfully to our Prod 3240C running 4.3.12 but not to the Dev 100D running 5.0.4. I' m thinking it' s something to do with the new firmware.
Bromont_FTNT
Staff
Staff

also what format is your certificate? pfx, privatekey/pub_cert
Bromont_FTNT
Staff
Staff

It is a bug in 5.0.4, fixed in an interim build so will be included in the next release... can you upload via CLI? config vpn certificate local edit " DesiredName" set private-key " ------BEGIN RSA PRIVATE KEY------ MII....... .... .... -----END RSA PRIVATE KEY-----" set certificate " -----BEGIN CERTIFICATE----- MII..... .... .... -----END CERTIFICATE-----" next end
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors