When you've activated certificate inspection or deep SSL inspection, the acceptance of the external certificate is up to the FG. When it rejects the external certificate it the page with the warning:
"This Connection is Untrusted ..."
You can check this e.g. on https://self-signed.badssl.com/
However, for this page's certificate the FG always uses a certificate signed by the factory "Fortinet Untrusted CA", regardless of what you've set up for HTTPS or SSL inspection.
According to support (ticket #2289811), this is not configurable. In my humble opinion, this function is broken since it urges the user to (permanently) accept a root certificate which is present - and extractable - on every Fortigate on the planet, leaving a critical vulnerability for man-in-the-middle attacks.
Are there any ways around this? Is this issue addressed in 5.6?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
I just checked this, but I cant change the Untrusted CA Certificate in 5.6.1.
Regards
bommi
NSE 4/5/7
Hi Zac67,
By default the firewall use an "Untrust CA" for the websites that have broken certificate. (as your example "https://self-signed.badssl.com/")
You can change that from CLI:
config firewall ssl-ssh-profile edit "--your profile--" set untrusted-caname "your trusted CA" end
In this way you will avoid the certificate warning. (If you have installed on the PC the "trusted CA")
Still, the best practice says to warning the users when they are going to an "untrust" (faulty certficate) website.
So you should find your best compromise between usability and security.
Regards Radu
Hi Zac67 glad to hear that you managed to solve the issue. Just after that you modified the "Untrusted-caname" it may be that your browser has the web server certificate cached, that's why it started to work later.
Cheers Radu
@Zanoob
You need to use the untrusted-caname of a certificate that is installed on the FGT unit (including a private key) and that the clients trust. You cannot use an external, trusted certificate because without a private key, the FGT can't use it.
Usually, that certificate is signed with your domain CA which provides a trusted root CA certificate that is deployed to each client. For that, you generate a new local certificate and have your root CA sign the FGT's CSR.
I have a pfx file (which includes the private key). For example, this is our domain cert , singed by external CA (Digicert).
I was able to import this file into FG , using the option "local certificate" and then choosing option PKCS#12 Certificate.We also have the password for the pfx file and this certificate is trusted by clients since it is signed by Digicert.
Now when i try to use the same command i get the same error , entry not found in datasource.
FWP-HA-01 $ config firewall ssl-ssh-profile
FWP-HA-01 (ssl-ssh-profile) $ edit "Test Cert no-inspection"
FWP-HA-01 (Test Cert no-insp~ion) $ set untrusted-caname "star_domain_19_21"
entry not found in datasource
value parse error before 'star_domain_19_21'
Command fail. Return code -3
FWP-HA-01 (Test Cert no-insp~ion) $
Even if we generate a CSR and sign by a CA that the clients trust , wouldn't it be the same.
For clients, they need to have a certificate presented that they trust and FG needs to send a certificate that the client trust. So if the FG sends the certificate that is signed by an external CA (digicert) that should work i guess.
So here I have imported a certficate (pfx file that has certificate and key) , using the local certificate option under import. The error i keep getting is the entry not found in datasource. Did you do anything else to get the command running ?
That looks like you're trying to use a (slightly) different name in the 'set untrusted-caname' command than the one you have imported. Double check the name in the certificate list and make sure the private key was imported.
The certificate i imported do have the private key and the certificate.
I checked with OpenSSL converted the PFX file that i imported to fortigate to a PEM file and double checked if it has the private key.
The problem is when i run the command it says or keep getting an error that "entry not found in datasource".
Like it couldn't find the certificate and i understand beacuse we are importing the certificate using local certificate option under import and import works successfully to local certificate.
However, to run this command do we need some other , option to point it to the local certificate path?
Os is it because the certificate is a *.domain.com ?
after the import of the certifcate i can only see the certificate that was already there on the fortigate , as you can see below
The issue is that it is using the Fortinet_CA_Untrusted certiciate , which is not trusted by the clients.
FWP-HA-01 (Hem Cert no-insp~ion) $ set untrusted-caname
<string> please input string value
Fortinet_CA_SSL local
Fortinet_CA_Untrusted local
Hi dmcquade,
coul'd you share the detail steps of your solution?
I've implemented this by generating a CSR on the Fortigate and submitted it to the local network PKI to create a CA Cert using an ICA already trusted by the workstations. Import this into the Fortigate and the workstations will not receive the Untrusted Cert message.
How do you perform: create CA cert using ICA? On my workstation I didn't installed any certificate, I juste have a wildcard certificate for my company.
Thanks for the answer.
Hi,
I am in version 5.6.2 and I have the same problem ...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1548 | |
1032 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.