Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexFerenX
New Contributor III

Clarification on the certificate used for "Protecting an SSL server"

Hi!

I seek clarification on the feature Protecting an SSL server (aka. firewall ssl-ssh-profile's server-cert-mode is "replace").

Is it mandatory that the specified "Server certificate" (in SSL/SSH Inspection Profile) be identical to the actual server certificate - yes or no?

Thanks!

 

PS. Plausible example where I'd prefer that "Server certificate" is NOT identical to actual server certificate is when I prefer it be a wildcard certificate (thus valid for multiple servers within same domain).

18 REPLIES 18
dingjerry_FTNT

Hi @AlexFerenX ,

 

I have checked it with our Engineering team for your original question: Is it mandatory that the specified "Server certificate" (in SSL/SSH Inspection Profile) be identical to the actual server certificate - yes or no?

 

The answer is NO.

Regards,

Jerry
AlexFerenX

Hi @dingjerry_FTNT 

 

Are there any prerequisites, requirements or conditions on these certificates for feature Protecting an SSL server  to work? For example, you mentioned common CA.

 

 Thanks!

dingjerry_FTNT

Hi @AlexFerenX ,

 

1) The Common Name of the certificate has to be the same as the one on the real server;

2) If the certificate on the real server is chained, the certificate on the FGT must also be chained, and you have to import the intermediate and root CA certificates on FGT.

Regards,

Jerry
AlexFerenX

Hi @dingjerry_FTNT 

 

1) The Common Name of the certificate has to be the same as the one on the real server;

 

this is a major limitation - it prevents usage of a wildcard certificate being used within ssl-ssh-profile (if actual server certificate specifies own domain name or IP address as CN)!

 

It also goes against implicit understanding of what server-cert-mode set to "replace" says - to replace actual server certificate!

 

 Can you confirm?

 

Thanks!

dingjerry_FTNT

Hi @AlexFerenX ,

 

I checked it again with our Engineering team:

 

You can use any CA certificate for the server certificate with the "Protecting SSL Server" option.

 

The difference between "Protecting SSL Server" and "Multiple Clients Connecting to Multiple Servers" is:

 

FGT is to replace the server certificate with "Protecting SSL Server";

FGT is to resign using the CA certificate with "Multiple Clients Connecting to Multiple Servers".

Regards,

Jerry
AlexFerenX

Hi @dingjerry_FTNT 


in most cases, the Issuer of public certificates (ie. “CA”) is same for all certificates used by an organisation - this isn’t a critical limitation, however, the Subject of the certificate is most critical. Previously, you’ve stated that CN must be same - this rules out using wildcard certificates or certificates that I’d want “replaced”.

 

Seems to me Fortinet has very badly documented requirements of feature Protecting an SSL server . If there’s no definitive documentation you can refer to, can you create a Knowledge Base article which is upfront about all prerequisite, requirements and limitations?


> The difference between "Protecting SSL Server" and "Multiple Clients Connecting to Multiple Servers"

 

let’s not lose focus, from beginning, this post is ONLY about “Protecting SSL Server".

 

Thanks!

dingjerry_FTNT

Hi @AlexFerenX ,

 

Yes, I will try my best to create one KB about it.

Regards,

Jerry
AlexFerenX

Hi @dingjerry_FTNT , are you able to provide (at least a provisional) KB id? Thanks!

AlexFerenX

Hi @dingjerry_FTNT, can you able to provide KB id? Thanks!

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors