Hi All,
FortiGate 300D (and others) v5.4.1. Using FortiAuthenticator 4.1.1 as local CA, among other things.
I've started running full SSL inspection on a subset of users, with my own CA certificate, which the users trust. This all appears to work fine. My question has to do with the two other certificates that are in use by the SSL Inspection profiles. I didn't notice their use initially since they aren't visible in the GUI view of the SSL Inspection profiles. From the CLI, the three certificate references are:
config firewall ssl-ssh-profile
edit <ProfileName>
set caname "MY_CA_CERT" set certname "Fortinet_SSL"
set untrusted-caname "Fortinet_CA_Untrusted"
Unfortunately, the 5.4.1 GUI only shows and lets you edit the caname certificate. I'd like to make sure my understanding of the use of these different references to certificates is correct before I change them. From the CLI docs:
caname - CA certificate used by SSL Inspection
- My interpretation - CA certificate the client trusts to allow the SSL inspection to happen without warnings
certname - Certificate containing the key to use when re-signing server certificates for SSL inspection - My interpretation - Certificate used to sign (well, re-sign) certificates that are getting handed back to web servers on the wan. If this is the case, it is concerning because even if this certificate is SUPPOSED to be unique, it has the names Fortinet and FortiGate all over it, which I don't want to advertise. So, I assume I just change this (from the CLI since no GUI access to this) to one of my own client certificates that is marked as being able to sign certificates? Nothing else special needed for this cert?
untrusted-caname - Untrusted CA certificate used by SSL Inspection - I really don't know what this is for. This didn't exist in 5.2. Anybody familiar with this one?
Thanks in advance for advice and pointers.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I must have read this thread 100 times and it's still not sinking in with me. I've got a FAC that I'm using as a "root ca", which I s "installed" or "trusted" as a "root ca" on my machine. I use "warning pages" for certain categories which will return a blocked /proceed (using the FAC CA cert) page without any issue. When I click "Proceed" my browser is directed to: https://facebook.com:58002/warn?fblob=V0-7mIHNhdRfSBaiZNn5pc-Zpj-38T0nX5vkLfka4op58SYiAqw586bE_2SLwM...
There is a problem connecting securely to this website.
The security certificate presented by this website was issued for a different website's address. The security certificate presented by this website was not issued by a trusted certificate authority.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. You should close this webpage. Recommended Click here to close this webpage."
I'm not the best with PKI so any help is appreciated.
DPI is enabled..
Google Chrome mentions this: "You cannot visit facebook.com right now because the website uses HSTS"..
-TFWD
Further testing is proving the HSTS is causing my problem as "Instagram" isn't giving me any grief in my testing.
-TFWD
FortiOS 5.2.10 - GA is my current code base... FWIW, this is being tested against an A/A Cluster (1500D).
-TFWD
Hello theFWdude,
Can you show me the policy and ssl-ssh-profile from your configuration? If you are having that error, the problem is very likely to be the SSL Certificate on the Fortigate and your machine is not configured properly. I would like to check to see if they are the same one.
HoMing
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.