- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Certificate issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Certificate issue
Hello,
i have issue when open some website like yahoo.com For example but not limited to ,from Chrome i found error below:
"The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1".
what should to do to solve this issue ?
thanks
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
My guess is your unit is doing ssl offload to do one or more security features (IPS or Application control or HTTPS inspection or Antivirus or web filter or explicit proxy) , using an men in the middle approach. That’s fine, it is the common solution.
Some type of ssl old versions have been depreciated and chrome is giving warnings about that. With time, it will start to block it, forcing a manual override.
The problem is the certificate that forti unit is giving to the browser is using that old ssl version.
To resolve it, you need to put a new one with a newer ssl version in forti unit and in the pc’s.
The easier path is to upgrade the forti unit, since the newer versions have latest ssl version, and then reuse the GPO to put the newer certificate in all pc’s (no problem leaving the old one).
One last thing, both things have to be done at the same time, since you only have the certificate after the upgrade, and you will only have the clean https after the computers have the gpo with the certificate (before, you will have a nasty certificate not trustiest)
- « Previous
-
- 1
- 2
- Next »
18 REPLIES 18
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search here for what others have done, but like I said it depends on OSes and enterprise.
Some opions you can do or search ;
1>Use a internal CAauth like microsoft
2> Deploy via a GPO push
3> provide a manual insert ( yes a lot of work if you have hundred of machines )
4> buy a trusted wildcard or single cert for your domain device(s) and install it
5> use a desktop support function MS/SCCM , LandDesk, to install the certificate for browsers as a trusted publisher
or have the end-user ignore the warning ( this bad practice btw )
Your options really depends on time, $$$, number of hosts, type-of-hosts ( unix/linux/windoze/mac/Mobile/ others ) and the work effort,
The bottom line is; " the internal Fortigate crt is not signed from a recognized CAauth"
So any modern browser is going to kick up that warning. Chrome is probably the most secure browser and warn just about on everything or anything.
What I've seen in the pass is most org buying a internal trusted * wildcard and trust it, or using a self-sign cert and trusting it from the MS CAauth-domain.
You have numerous avenues aand directions but only you can determine what you do and it depends on the above bold options.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for this information,
as i remember when fortinet partner did setup to our device he import certificate via GPO that why when we are using internet explore the warning does not appear.
thanks again for your help
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are configured in explcit proxy, update your fortigate to 5.2.6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I do not use explicit proxy option.
Really i need your assistance.
thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
My guess is your unit is doing ssl offload to do one or more security features (IPS or Application control or HTTPS inspection or Antivirus or web filter or explicit proxy) , using an men in the middle approach. That’s fine, it is the common solution.
Some type of ssl old versions have been depreciated and chrome is giving warnings about that. With time, it will start to block it, forcing a manual override.
The problem is the certificate that forti unit is giving to the browser is using that old ssl version.
To resolve it, you need to put a new one with a newer ssl version in forti unit and in the pc’s.
The easier path is to upgrade the forti unit, since the newer versions have latest ssl version, and then reuse the GPO to put the newer certificate in all pc’s (no problem leaving the old one).
One last thing, both things have to be done at the same time, since you only have the certificate after the upgrade, and you will only have the clean https after the computers have the gpo with the certificate (before, you will have a nasty certificate not trustiest)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SHA-1 is rapidly being depreciated. Chrome, soon IE and Firefox, warn when depreciated certs are detected. You need to update your CA and sign a new cert for your Fortigate using at least SHA2 (SHA-256) and a 2048bit key to avoid messages such as this. Yahoo may be using a new cert, but your FG is still using a less secure one and that is what Chrome is detecting.
To verify, take a laptop and create a new unfiltered rule on your Fortigate. Browse to Yahoo through that, now disable that rule and try again ensuring traffic is filtered by the current rule you use. You should NOT get an error for the unfiltered connection. You should circle back with your integrator and figure out what he did. He may have used OpenSSL to self-sign your FG and then push out the CA he generated to all of your desktops via a GPO. This article shows how to do the Fortigate portion:
http://cookbook.fortinet.com/fortigate-cookbook-self-signed-certificates-5-2/
http://cookbook.fortinet.com/preventing-certificate-warnings/
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Until you fix this you can disable SSL Deep inspection on the rule that is causing the problem. That will allow folks to browse normally until you fix the problem, but you won't be able to scan SSL traffic which is NOT a good idea these days. Making people happy while you resolve the issue is part of the risk analysis of working on things like this.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all
Just hoping to find some answers.
This thread seems a bit all over the place.
I came here looking for a solution to SHA1 certificates being generated by our Fortigate for deep inspection of HTTPS sites.
Our Fortigate runs 5.2.3.
We have the same issue with deep inspection, it works but we are starting to get these errors too understandably as SHA-1 is being phased out.
I have replaced the default Fortigate CA cert (which was SHA-1) for deep inspection with a certificate that is SHA-2 (SHA-256) and with a 2048bit key.
However after the unencryption process when it generates the certificate for any SSL websites it generates them with SHA-1?
So therefore we get the https with a red cross through it in the address bar.
So currently it doesn't stop us using deep inspection but I know we are not far from the time when it will fail to load the sites because of this?
Does anybody currently use deep inspection and have it generate SH-2 certificates?
Are you on a newer firmware? Have you made another setting change in the fortigates config?
Have you put something specific in your CA to ensure it generates SHA-2 certificates during deep inspection process?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After upgrading to 5.2.8 and the red cross on the title bar did not appear again
Thanks
- « Previous
-
- 1
- 2
- Next »
Related Posts
Labels
-
FortiGate
6,548 -
FortiClient
1,306 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiAP
336 -
FortiSwitch
333 -
FortiClient EMS
264 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
FortiConnect
24 -
SD-WAN
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
IP address management - IPAM
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
Traffic shaping policy
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiDB
3 -
Port policy
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
TACACS
1 -
4.0MR1
1 -
Schedule
1 -
Users
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
FortiPAM
1 -
Application signature
1 -
Web rating
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Multicast routing
1 -
Email filter profile
1 -
Zone
1 -
Internet Service Database
1 -
Explicit proxy
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.