Hiya,
Reproducable Setup:
- SSL Inspection on.
- Proxy mode on.
- Warning page set on Cloud category.
- Browser: Chrome 56.
When using the Warning functionality for a category i get a warning when pressing proceed to visit the webpage.
on IE11 it works fine but in Google Chrome i get a warning, the certificate it uses is "Fortinet_CA_SSLProxy (CA)" that one is SHA1 and could be the problem.
However when signing a new trusted CA Certificate with SHA2 and chaning it in config user setting to the new SHA2 CA certificate i still get a warning AND the warning page doesnt event work anymore in IE11.
Certificate error with chain on the standard Fortinet_CA_SSLProxy Certificate which is SHA1.
Certificat error with chain on the new SHA2 certificate.
I appreciate it if someone can elaborate on this.
------------------------
Config i changed to use the new certificate
-------------------------
config user setting set auth-type http https ftp telnet set auth-cert '' set auth-ca-cert "Fortinet_CA_SSLProxy" -> Changed to new SHA2 CA Certificate.
---------
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Eric Xavier
Analyst Telecom and Networking
+55 11 3073-0407
eric.xavier@nct.com.br
www.nct.com.br
Rua Urussuí, 92- 10º andar, cj.106-107 Itaim Bibi - Sao Paulo – SP - CEP: 04542-050
Hello Johan,
In your first case, you have the chain correct. FortiGate CA -> 162.125.65.1.
In your second case, the error shows that it is not able to form the chain. Did you import the new Trusted CA Certificate into the system?
>>------------------------ Config i changed to use the new certificate ------------------------- config user setting set auth-type http https ftp telnet set auth-cert '' set auth-ca-cert "Fortinet_CA_SSLProxy" -> Changed to new SHA2 CA Certificate. ---------
If you are trying to use the new certificate to do a Man-in-the-Middle, the configuration to modify it is at "config firewall ssl-ssh-profile", "edit deep-inspection". That is where the Certificate that is used to intercept the SSL sessions is used.
I hope I understood your problem correctly!
HoMing
Thanks and i think both of you are wrong.
This is not the Deep Inspection certificate we are talking about, its the user authentication certificate used for the capture portal to give a warning page.
I consulted with my Technical Consultant and we try'd several configurations but all keep pointing to the builtin Fortigate CA when it generates the blob page after clicking proceed. Even after following this KB to the letter. http://kb.fortinet.com/kb....do?externalID=FD37342
Seems like a bug, he is checking if we can make a case to Fortinet or if we need to upgrade to 5.4 since the builtin certificate is renewed by a SHA2 and the problem should be resolved.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.