- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Clarification on the certificate used for "Protecting an SSL server"
Hi!
I seek clarification on the feature Protecting an SSL server (aka. firewall ssl-ssh-profile's server-cert-mode is "replace").
Is it mandatory that the specified "Server certificate" (in SSL/SSH Inspection Profile) be identical to the actual server certificate - yes or no?
Thanks!
PS. Plausible example where I'd prefer that "Server certificate" is NOT identical to actual server certificate is when I prefer it be a wildcard certificate (thus valid for multiple servers within same domain).
- Labels:
-
FortiGate
- « Previous
-
- 1
- 2
- Next »
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AlexFerenX ,
I have checked it with our Engineering team for your original question: Is it mandatory that the specified "Server certificate" (in SSL/SSH Inspection Profile) be identical to the actual server certificate - yes or no?
The answer is NO.
Jerry
Created on 01-10-2025 10:27 AM Edited on 01-10-2025 10:37 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are there any prerequisites, requirements or conditions on these certificates for feature Protecting an SSL server to work? For example, you mentioned common CA.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AlexFerenX ,
1) The Common Name of the certificate has to be the same as the one on the real server;
2) If the certificate on the real server is chained, the certificate on the FGT must also be chained, and you have to import the intermediate and root CA certificates on FGT.
Jerry
Created on 01-10-2025 11:29 AM Edited on 01-10-2025 11:39 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) The Common Name of the certificate has to be the same as the one on the real server;
this is a major limitation - it prevents usage of a wildcard certificate being used within ssl-ssh-profile (if actual server certificate specifies own domain name or IP address as CN)!
It also goes against implicit understanding of what server-cert-mode set to "replace" says - to replace actual server certificate!
Can you confirm?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AlexFerenX ,
I checked it again with our Engineering team:
You can use any CA certificate for the server certificate with the "Protecting SSL Server" option.
The difference between "Protecting SSL Server" and "Multiple Clients Connecting to Multiple Servers" is:
FGT is to replace the server certificate with "Protecting SSL Server";
FGT is to resign using the CA certificate with "Multiple Clients Connecting to Multiple Servers".
Jerry
Created on 01-10-2025 12:10 PM Edited on 01-10-2025 12:15 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in most cases, the Issuer of public certificates (ie. “CA”) is same for all certificates used by an organisation - this isn’t a critical limitation, however, the Subject of the certificate is most critical. Previously, you’ve stated that CN must be same - this rules out using wildcard certificates or certificates that I’d want “replaced”.
Seems to me Fortinet has very badly documented requirements of feature Protecting an SSL server . If there’s no definitive documentation you can refer to, can you create a Knowledge Base article which is upfront about all prerequisite, requirements and limitations?
> The difference between "Protecting SSL Server" and "Multiple Clients Connecting to Multiple Servers"
let’s not lose focus, from beginning, this post is ONLY about “Protecting SSL Server".
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dingjerry_FTNT , are you able to provide (at least a provisional) KB id? Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dingjerry_FTNT, can you able to provide KB id? Thanks!
![](/skins/images/EC9FF2F7BE06D4243426EA19DD2C8052/responsive_peak/images/icon_anonymous_message.png)
- « Previous
-
- 1
- 2
- Next »