Certificate inspection: untrusted certificate warning broken (5.4.5)

Zac67 · ‎08-04-2017

When you've activated certificate inspection or deep SSL inspection, the acceptance of the external certificate is up to the FG. When it rejects the external certificate it the page with the warning:

"This Connection is Untrusted ..."

You can check this e.g. on https://self-signed.badssl.com/

However, for this page's certificate the FG always uses a certificate signed by the factory "Fortinet Untrusted CA", regardless of what you've set up for HTTPS or SSL inspection.

According to support (ticket #2289811), this is not configurable. In my humble opinion, this function is broken since it urges the user to (permanently) accept a root certificate which is present - and extractable - on every Fortigate on the planet, leaving a critical vulnerability for man-in-the-middle attacks.

Are there any ways around this? Is this issue addressed in 5.6?

bommi · ‎08-04-2017

Hi,

I just checked this, but I cant change the Untrusted CA Certificate in 5.6.1.

Regards

bommi

NSE 4/5/7

View solution in original post

rdumitrescu · ‎08-10-2017

Hi Zac67,

By default the firewall use an "Untrust CA" for the websites that have broken certificate. (as your example "https://self-signed.badssl.com/")

You can change that from CLI:

config firewall ssl-ssh-profile edit "--your profile--" set untrusted-caname "your trusted CA" end

In this way you will avoid the certificate warning. (If you have installed on the PC the "trusted CA")

Still, the best practice says to warning the users when they are going to an "untrust" (faulty certficate) website.

So you should find your best compromise between usability and security.

Regards Radu

View solution in original post

FAPM · ‎08-29-2017

Hi,

I am in version 5.6.2 and I have the same problem ...

View solution in original post

rdumitrescu · ‎09-08-2017

Hi Zac67 glad to hear that you managed to solve the issue. Just after that you modified the "Untrusted-caname" it may be that your browser has the web server certificate cached, that's why it started to work later.

Cheers Radu

View solution in original post

Zac67 · ‎03-06-2020

@Zanoob

You need to use the untrusted-caname of a certificate that is installed on the FGT unit (including a private key) and that the clients trust. You cannot use an external, trusted certificate because without a private key, the FGT can't use it.

Usually, that certificate is signed with your domain CA which provides a trusted root CA certificate that is deployed to each client. For that, you generate a new local certificate and have your root CA sign the FGT's CSR.

ZANOOB · ‎03-09-2020

I have a pfx file (which includes the private key). For example, this is our domain cert , singed by external CA (Digicert).

I was able to import this file into FG , using the option "local certificate" and then choosing option PKCS#12 Certificate.We also have the password for the pfx file and this certificate is trusted by clients since it is signed by Digicert.

Now when i try to use the same command i get the same error , entry not found in datasource.

FWP-HA-01 $ config firewall ssl-ssh-profile

FWP-HA-01 (ssl-ssh-profile) $ edit "Test Cert no-inspection"

FWP-HA-01 (Test Cert no-insp~ion) $ set untrusted-caname "star_domain_19_21"

entry not found in datasource

value parse error before 'star_domain_19_21'

Command fail. Return code -3

FWP-HA-01 (Test Cert no-insp~ion) $

Even if we generate a CSR and sign by a CA that the clients trust , wouldn't it be the same.

For clients, they need to have a certificate presented that they trust and FG needs to send a certificate that the client trust. So if the FG sends the certificate that is signed by an external CA (digicert) that should work i guess.

So here I have imported a certficate (pfx file that has certificate and key) , using the local certificate option under import. The error i keep getting is the entry not found in datasource. Did you do anything else to get the command running ?

Zac67 · ‎03-09-2020

That looks like you're trying to use a (slightly) different name in the 'set untrusted-caname' command than the one you have imported. Double check the name in the certificate list and make sure the private key was imported.

ZANOOB · ‎03-11-2020

The certificate i imported do have the private key and the certificate.

I checked with OpenSSL converted the PFX file that i imported to fortigate to a PEM file and double checked if it has the private key.

The problem is when i run the command it says or keep getting an error that "entry not found in datasource".

Like it couldn't find the certificate and i understand beacuse we are importing the certificate using local certificate option under import and import works successfully to local certificate.

However, to run this command do we need some other , option to point it to the local certificate path?

Os is it because the certificate is a *.domain.com ?

ZANOOB · ‎03-11-2020

after the import of the certifcate i can only see the certificate that was already there on the fortigate , as you can see below

The issue is that it is using the Fortinet_CA_Untrusted certiciate , which is not trusted by the clients.

FWP-HA-01 (Hem Cert no-insp~ion) $ set untrusted-caname

<string>    please input string value

Fortinet_CA_SSL	local

Fortinet_CA_Untrusted	local

saymon · ‎01-24-2021

Hi dmcquade,

coul'd you share the detail steps of your solution?

I've implemented this by generating a CSR on the Fortigate and submitted it to the local network PKI to create a CA Cert using an ICA already trusted by the workstations. Import this into the Fortigate and the workstations will not receive the Untrusted Cert message.

How do you perform: create CA cert using ICA? On my workstation I didn't installed any certificate, I juste have a wildcard certificate for my company.

Thanks for the answer.

FAPM · ‎08-29-2017

Hi,

I am in version 5.6.2 and I have the same problem ...