However, for this page's certificate the FG always uses a certificate signed by the factory "Fortinet Untrusted CA", regardless of what you've set up for HTTPS or SSL inspection.
According to support (ticket #2289811), this is not configurable. In my humble opinion, this function is broken since it urges the user to (permanently) accept a root certificate which is present - and extractable - on every Fortigate on the planet, leaving a critical vulnerability for man-in-the-middle attacks.
Are there any ways around this? Is this issue addressed in 5.6?
Hi Zac67 glad to hear that you managed to solve the issue.
Just after that you modified the "Untrusted-caname" it may be that your browser has the web server certificate cached, that's why it started to work later.
You need to use the untrusted-caname of a certificate that is installed on the FGT unit (including a private key) and that the clients trust. You cannot use an external, trusted certificate because without a private key, the FGT can't use it.
Usually, that certificate is signed with your domain CA which provides a trusted root CA certificate that is deployed to each client. For that, you generate a new local certificate and have your root CA sign the FGT's CSR.
I have a pfx file (which includes the private key). For example, this is our domain cert , singed by external CA (Digicert).
I was able to import this file into FG , using the option "local certificate" and then choosing option PKCS#12 Certificate.We also have the password for the pfx file and this certificate is trusted by clients since it is signed by Digicert.
Now when i try to use the same command i get the same error , entry not found in datasource.
FWP-HA-01 (Test Cert no-insp~ion) $ set untrusted-caname "star_domain_19_21"
entry not found in datasource
value parse error before 'star_domain_19_21'
Command fail. Return code -3
FWP-HA-01 (Test Cert no-insp~ion) $
Even if we generate a CSR and sign by a CA that the clients trust , wouldn't it be the same.
For clients, they need to have a certificate presented that they trust and FG needs to send a certificate that the client trust. So if the FG sends the certificate that is signed by an external CA (digicert) that should work i guess.
So here I have imported a certficate (pfx file that has certificate and key) , using the local certificate option under import. The error i keep getting is the entry not found in datasource. Did you do anything else to get the command running ?
That looks like you're trying to use a (slightly) different name in the 'set untrusted-caname' command than the one you have imported. Double check the name in the certificate list and make sure the private key was imported.
coul'd you share the detail steps of your solution?
I've implemented this by generating a CSR on the Fortigate and submitted it to the local network PKI to create a CA Cert using an ICA already trusted by the workstations. Import this into the Fortigate and the workstations will not receive the Untrusted Cert message.
How do you perform: create CA cert using ICA? On my workstation I didn't installed any certificate, I juste have a wildcard certificate for my company.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.