Skip to main content
v20100
v20100
New Member
April 19, 2018
Solved

Certificate for https traffic

  • April 19, 2018
  • 3 replies
  • 29332 views
Not sure it is in the correct thread. Running on 200D 5.4.8   This is mainly for AV. In order to detect viruses, we needed to add the SSL/SSH inspection and by selecting "Certificate Inspection", the firewall now detects viruses but only for non encrypted traffic. As most of the traffic is now via https, we need to select instead "Deep Inspection" However, all the sites now come with certificate errors. The engineer assigned to our case, told us that we need to install the Fortigate certificate on all our workstations, which is not really possible. too many devices (windows, IOS, MAc and Android) and too many browsers He said the alternative was to purchase a CA certificate and install it, but was not able to advise further.   Have many of you used that technique? I am guessing that it becomes more and more common to implement viruses/malware scanning at the gateway level, and this would be the easiest method now that 90% traffic is encrypted?   What CA would you recommend? We already have a 'standard' certificate installed on the Fortigate for SSLVPN to avoid the errors. When requesting the CA certificate, do we also use the same DNS name? And it will not interfere with the current cert installed for SSLVPN?   Thanks in advance
Best answer by localhost

I find it strange that Fortinet does not have a built-in public certificate that should be used for this. Surely, if it says it can scan for viruses/etc on the fly, it should provide the facility out of the box!

 

It's not possible to buy such public intermediate CA certificate! This would totally break SSL encryption. You'd be able to fake every SSL Website/Service worldwide.

Public intermediate CA certificates will be limited to specific domains, to which you are allowed to deploy certificates for. This is not what you need for deep ssl inspection.

 

With a private CA, you can do anything you want. Like creating your own SSL certificates for www.ubs.com, www.paypal.com, etc. 

This is exactly what the Fortigate is doing when deep ssl inspection is enabled. It's decrypting the SSL connection, and creating a new encrypted connection with its own CA certificate. It will generate a new connection, because it does not have the private key for the website or the CA it's intercepting (in my example Verisign & online.citi.com). So a 'deep inspected' SSL connection to online.citi.com is divided in two seperate connections.

 

online.citi.com <--1--> fortigate <--2--> internal computer

 

1: public trusted certificate. Signed by VeriSign Class 3 Public Primary CA

2: privately trusted ceritificate. Signed by YourFortigate

 

There is no easy way around here. If you want to open and inspect SSL connections, you have to create your own CA Certificate and deploy it or use the one which is already on the Fortigate and deploy that one.

If there is not enough knowledge to setup an own PKI, I suggest you deploy the CA certificate already on the Fortigate.

 

Btw. this is not a Fortigate/Fortinet limitation, this is just how SSL interception works.

 

Also note.. you thoroughly need to this before enabling it globaly. Because it will most likely not work with some services/application you are using right now.

3 replies

Philippe_Gagne
Philippe_Gagne
New Member
April 19, 2018

Hi,

 

I deploy really often the Deep-inspection solution. You don't need to buy a CA certificate. There is someway to archieve the goal:

 

- Have a CA Certificate in your Active Directory.

or

- Build you own CA certificate and deploy it in the GPO in the Trusted Root Certificate. That's is my prefered!

 

SSLVPN and CA are used in two different purposes. The CA certificate is used to decrypt and then re-encrypt the traffic to the destination computer. That's the reason computers have to trust this CA as a known trusted CA.1

 

To create a CA certificate, I'm using XCA, it works really fine: https://sourceforge.net/projects/xca/

 

Have a nice day.

 

Philippe

MAK
MAK
New Member
April 19, 2018

Hello everyone,

 

We are doing A/V on our FortiWiFi60E running FortiGateOS 6.0. Already purchased a SSL cert from a public CA authority. However, have problem uploading it into the Certificate DB into Forti60E. The CA authority send a wildcard cert for our company along with an Intermediate CA cert. The wildcard cert loads into Forti60E Certificate DB in the Certificate top sections, while the Intermediate CA certs loads into the External CA section. However, when selecting in the policy for SSL deep inspection, only the Local CA cert Forti_CA_SSL shows in the drop down list! which is the default builtin Fortinet cert. How can we select from External CA section for the SSL deep inspection cert??? Any help would be appropriated.

 

PS We do have a local CA running, but this would require uploading local CA cert into every device, which is not desired. 

ShawnZA
ShawnZA
New Member
April 19, 2018

Create a browsing rule for yourself only, and enable the deep inspection and select the VPN cert and see if you get errors.... but if they recomend a CA cert then it might still cause issues seeing you say it's a "standard" cert.

 

CA cert will not cause issues with your VPN cert as you will not be asigning the CA cert to the VPN config...

 

We rolled out the Fortigate cert (what a mission that is) so we are using that for now, but will probably also go the CA route at some point as installing the fortigate cert on devices is becoming a mission

emnoc
emnoc
New Member
April 19, 2018

Wait

 

Do what was said b4 build your own CA and you still need to have that certifcate installed and trusted on the client. So no matter what  you do, you ( private SelfSign or whatever ) the clients will need the certificate trusted.

 

The other option ( please don't do  this ) is to remove  certificate validation from the client, You could do this but now any  site would be valid since no validation has taken place

 

 

That would be the iequal of  curl -k for example.

 

The engineer assigned to our case, told us that we need to install the Fortigate certificate on all our workstations, which is not really possible. too many devices (windows, IOS, MAc and Android) and too many browsers

 

You have a CA certificate on the fortigate now, export that one if you don't want to  craft a new one. When support tells you these things they should explain and process.

 

http://docs-legacy.fortinet.com/fos40hlp/41/wwhelp/wwhimpl/common/html/wwhelp.htm?context=fgt&file=system_certificates.9.1.html

 

http://socpuppet.blogspot.com/2016/10/a-quick-and-sure-to-know-if-ssl.html

 

and FWIW, no  commercial CA will blindly give you a CA intermediate  certificate  under normal means. Going to   godaddy for example and buying a certificate is a "web server" certificate not a CA cert. So keep that in mind.

 

 

 

Ken

 

localhost
localhostAnswer
Visitor III
April 23, 2018

I find it strange that Fortinet does not have a built-in public certificate that should be used for this. Surely, if it says it can scan for viruses/etc on the fly, it should provide the facility out of the box!

 

It's not possible to buy such public intermediate CA certificate! This would totally break SSL encryption. You'd be able to fake every SSL Website/Service worldwide.

Public intermediate CA certificates will be limited to specific domains, to which you are allowed to deploy certificates for. This is not what you need for deep ssl inspection.

 

With a private CA, you can do anything you want. Like creating your own SSL certificates for www.ubs.com, www.paypal.com, etc. 

This is exactly what the Fortigate is doing when deep ssl inspection is enabled. It's decrypting the SSL connection, and creating a new encrypted connection with its own CA certificate. It will generate a new connection, because it does not have the private key for the website or the CA it's intercepting (in my example Verisign & online.citi.com). So a 'deep inspected' SSL connection to online.citi.com is divided in two seperate connections.

 

online.citi.com <--1--> fortigate <--2--> internal computer

 

1: public trusted certificate. Signed by VeriSign Class 3 Public Primary CA

2: privately trusted ceritificate. Signed by YourFortigate

 

There is no easy way around here. If you want to open and inspect SSL connections, you have to create your own CA Certificate and deploy it or use the one which is already on the Fortigate and deploy that one.

If there is not enough knowledge to setup an own PKI, I suggest you deploy the CA certificate already on the Fortigate.

 

Btw. this is not a Fortigate/Fortinet limitation, this is just how SSL interception works.

 

Also note.. you thoroughly need to this before enabling it globaly. Because it will most likely not work with some services/application you are using right now.

live89
live89
Explorer III
December 4, 2018

Hi,

 

AFAIK, yes you need to install the fortigate certificate on all the workstations in order to trust the firewall the in inspecting your workstation traffic . using the certmgr.msc from cmd . I think you can do this via GPO if its many workstations .

This is true not only in Fortigate enviroments , we used to do that in other environments using other vendors proxies ..

Terms & ConditionsAccessibility statement