Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexFerenX
New Contributor III

Clarification on the certificate used for "Protecting an SSL server"

Hi!

I seek clarification on the feature Protecting an SSL server (aka. firewall ssl-ssh-profile's server-cert-mode is "replace").

Is it mandatory that the specified "Server certificate" (in SSL/SSH Inspection Profile) be identical to the actual server certificate - yes or no?

Thanks!

 

PS. Plausible example where I'd prefer that "Server certificate" is NOT identical to actual server certificate is when I prefer it be a wildcard certificate (thus valid for multiple servers within same domain).

18 REPLIES 18
dingjerry_FTNT

Hi @AlexFerenX .

 

The quick, simple answer is NO.

 

The specified "Server certificate" (I would like to call it CA Certificate) (in SSL/SSH Inspection Profile) is the one FGT uses to decrypt and re-encrypt the packets doing MITM inspection. 

 

So if the client does not have this certificate installed, the client will get a certificate warning.  If the client does have the certificate installed in the browser, the client will not get a certificate warning.

 

BTW, this certificate has to be a "CA:TRUE" certificate. I would say, that none of the public certificate authorities (like Verisign, GoDaddy etc) will sell this type of certificate.

 

However, you can use your own company CA (i.e. Microsoft CA server) or OpenSSL to generate this type of CA certificate and it is also self-signed.  And install the root CA into the clients to trust this CA certificate to avoid a certificate warning.

 

 

Regards,

Jerry
AlexFerenX

Hi @dingjerry_FTNT 

 

> So if the client does not have this certificate installed, the client will get a certificate warning. If the client does have the certificate installed in the browser, the client will not get a certificate warning.

 

The client doesn't need to have anything in the browser - the certificate installed in ssh-ssl-profile's "server-cert" will be a public certificate in the same way that the actual server certificate is.

 

My question is about "Protecting SSL Server" feature, not "Multiple Clients Connecting to Multiple Servers" feature - are you sure you're not confusing the two?

 

Thanks!

dingjerry_FTNT

Hi @AlexFerenX ,

 

Sorry, my bad. I made a mistake.

 

Yes, you have to use the same server certificate.  Otherwise, the CA name or the SNI will not be matching to the one that the client wants to access.  If there is a security device doing UTM-like inspection for the client,  the client may get denied.

Regards,

Jerry
AlexFerenX

Hi @dingjerry_FTNT 

> Otherwise, the CA name or the SNI will not be matching to the one that the client wants to access.

 

The CA would likely be same for both certificates - one in ssl-ssh-profile's "server-cert" and on actual server.

 

The SNI or Subject shouldn't matter - it would be whatever is specified in ssl-ssh-profile's "server-cert" - this is what the client will always see since Fortigate is terminating SSL Session. If the firewall policy's dstaddr is a VIP, the actual server IP address doesn't even need to be public,

 

The restriction on the certificate would be strictly in Fortigate's implementation - if Fortigate is doing basic SSL Bridging then the actual server's certificate shouldn't matter to the client - Fortigate just needs to ensure that it's valid before forwarding traffic.

 

So, back to original question: Is it mandatory that the specified "Server certificate" (in SSL/SSH Inspection Profile) be identical to the actual server certificate - yes or no?

 

Thanks!

 

So,

 

dingjerry_FTNT

As long as the CA name represents the real server, no, I don't think that you have to use the identical server certificate.

Regards,

Jerry
AlexFerenX

Hi @dingjerry_FTNT 

> As long as the CA name represents the real server, no, you don't have to use the identical server certificate.

 

great! Are you able to reference some document that formally confirms this?

 

Thanks!

dingjerry_FTNT

Hi @AlexFerenX ,

 

I tried my best, but unfortunately, I can't find any official doc for it. 

 

 

Regards,

Jerry
AlexFerenX

Hi @dingjerry_FTNT 

 

OK, so are you VERY confident about "As long as the CA name represents the real server, no, you don't have to use the identical server certificate."?

 

Thanks!

dingjerry_FTNT

Hi @AlexFerenX ,

 

Let me check it more to get a confirmation answer and get back to you shortly.

Regards,

Jerry
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors