Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
thegost4u
New Contributor

DC certification problem

Hello all !

My problem is simple, enabling DLP with SSL deep inspection generates warnings on client browsers. 

how can i install my Domain Controller Certificate on FortiGate 100D so i won't have to install SSL certificate (from FortiGate ) on every Device connected ?

 

3 REPLIES 3
FortiAdam
Contributor II

You need to create a CSR on your firewall and use your domain controller to sign a certificate which you will then import into your firewall and use in your SSL/SSH inspection options.

 

There are plenty of KB articles and videos that outline the process but having a general idea of how certificates work is helpful.  Are you running certificate services on your domain controller?

 

Go to the section on using a custom cert on this cookbook article for some pointers http://cookbook.fortinet....-certificate-warnings/

thegost4u

FortiAdam wrote:

You need to create a CSR on your firewall and use your domain controller to sign a certificate which you will then import into your firewall and use in your SSL/SSH inspection options.

 

There are plenty of KB articles and videos that outline the process but having a general idea of how certificates work is helpful.  Are you running certificate services on your domain controller?

 

Go to the section on using a custom cert on this cookbook article for some pointers http://cookbook.fortinet....-certificate-warnings/

thank you for clearing this up. 

I work in networking department, but i will ask if the IT department could help in signing (you know communications between different departments are never good). 

another thing, 

SSL inspection also breaks Microsoft Exchange. do i need to install the fortigate certificate on exchange server too ?? or it's a dc problem ??

FortiAdam
Contributor II

That depends on what your issue is with exchange exactly.  You will need that signed certificate from your domain admin either way so I would start with that.  Keep in mind that you don't necessarily need to deep packet inspect all traffic.  If you are wanting to inspect email, it would make more sense to do it as it comes in and out from the internet because it isn't typically encrypted at that point.  Adjust your settings under Policy > Policy > SSH/SSL Inspection as needed.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors