- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Certificate Problems with SSL/SSH Inspection
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Certificate Problems with SSL/SSH Inspection
We are currently running a pair of FG100c' s in AA HA mode with multiple VDOM' s. We are currently running v5.4. We are having problems with HTTPS traffic, when we enable SSH/SSL inspection all https sites come up with a certificate error.
It has been mentioned on the forums the way around this is to install the fortinet cert on every machine however this is not possible with our setup.
When we are on v4.x we installed our own public cert and used this without problem however under SSL/SSH inspection there is only the option to select the inbuilt Fortigate certificate.
Has anyone else had this issue and is there and fix? Any help would be great.
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you enable deep inspection, you have to face the certificate issue. The only way FGT can inspect SSL/SSH sessions is to replace the server certificates with its own, so that it can intercept the key exchange process.
You can buy properly signed certificates from well established CAs, such as VeriSign, or you can create self signed certificates. Either way, you have to install the new certificates on your PCs. If you cannot do that, you have to either let users face certificate errors, or disable the deep inspection altogether.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We already have a certificate which has been installed and works correctly for the administration login (to stop the certificate error). However we do not get the option to select this certificate under the SSL/SSH Inspection section.
If we could select our own certificate a suspect this would solve the issue.
On v4.x we enabled our certificate globally via the CLI however there does not seem to be this option in 5.4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any way to do https web filtering without SSL/SSH inspection like we could on v4.x?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Doesn' t work for me even on Ver 4.3.x. How were you working with HTTPS Filtering on 4.3.x.
Please guide.
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just tick the HTTPS scanning option under the web filter profile
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can get this working using the fortinet certificate but when I import our own certificate there is only the fortinet certificate in the drop down box so I cannot select our own one. I have logged a ticket with support and asked for this to be raised as a bug.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
there are different certificates for different purposes / roles.
what a certificates purpose is, is defined as " key usage"
for SSL Inspection, the fortigate generates on the fly a new certificate for the website.
generating new certificates is the role of a CA.
to replace the Fortigate default Certificate you need to import a CA type certificate.
making the adressbar " green" when you visited your fortigate admin GUI is a different key usage (Server Authentication). This certificate has been issued by a CA.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does your imported Cert even show up in the list within the GUI? Mine said it imported successfully and yet it doesn' t even show up in the list under Local Certificates.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would be very surprised if a CA issued anyone a key signing certificate, and if they did I would think the major browsers would revoke that CA from the browser store.
Best option for PCs in a domain environment is to issue a key signing certificate from your domain controller and use that on the Fortigate for SSL deep inspection. Domain member PCs will trust this certificate, IE and Chrome would not give warnings but Firefox still will.
Related Posts
- Issue with FORTINET Webfilter 208 Views
- VS SSL offloading with deep inspection 168 Views
- IPSEC VPN stopped working under Windows... 505 Views
- Virtual server and SSL inspection 161 Views
- vivaldi browser wont reach any webpage 1309 Views
Labels
-
FortiGate
6,869 -
FortiClient
1,364 -
5.2
801 -
5.4
639 -
FortiManager
589 -
FortiAnalyzer
433 -
6.0
416 -
5.6
362 -
FortiAP
358 -
FortiSwitch
353 -
FortiClient EMS
277 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
165 -
6.4
128 -
FortiNAC
117 -
FortiGuard
109 -
IPsec
94 -
FortiSIEM
91 -
FortiGateCloud
90 -
FortiCloud Products
85 -
SSL-VPN
80 -
FortiToken
75 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
47 -
FortiADC
45 -
FortiEDR
42 -
Fortivoice
41 -
SD-WAN
37 -
FortiDNS
36 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
27 -
FortiAuthenticator
26 -
VLAN
26 -
FortiConnect
24 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
SAML
17 -
FortiGate v5.2
17 -
DNS
17 -
Certificate
17 -
FortiSwitch v6.2
16 -
LDAP
16 -
BGP
15 -
VDOM
15 -
FortiMonitor
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Authentication
12 -
fortilink
12 -
Routing
12 -
FortiCASB
12 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Traffic shaping policy
6 -
FortiBridge
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
FortiAP profile
5 -
WAN optimization
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.