Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
LeoT_mupc
New Contributor

Fortigate Certificate CA SSL for SSL insepction

Hi all,

 

I want to buy a CA SSL certificate to be used for SSL inspection. Where do you suggest buying it and which kind of certificate is the right one? I was looking at ComodoSSL but I cannot identify the right one.

Thank you very much.

 

FortiGate 

5 REPLIES 5
Cajuntank
Contributor II

There is no public CA that will sell you this as it is a huge security issue. Can you imagine having a publicly trusted cert that can decrypt anyone else's encrypted traffic? This inquiry has been asked in the past, so here is a link with further detail if interested.

 

https://community.fortinet.com/t5/Support-Forum/Public-Signed-SSL-certificate-for-SSL-deep-inspectio...

 

In regards to what kind of certificate, you can use the built-in cert provided and deploy it out to your devices or you can have your own private CA (this could be something like FortiAuthenticator or Windows CA if you have an existing AD infrastructure for example) sign an intermediate/subordinate certificate to use. That root CA would need to be trusted in your organization (which is why it's typically easier if you have an existing Windows AD infrastructure). The device trusts the root CA, thus there is trust for intermediate CA signed certificates...although, for some browsers like Safari, this is no longer the case and the entire certificate chain needs to be trusted.

LeoT_mupc

Sure. The problem are the external users on WiFi. I can't deploy the certificate to them to stop having issues with the ssl inspection.

Cajuntank

You might want to look into using a MDM to manage your devices. Something like inTune from Microsoft you can manage those devices and push out those certificates as needed. There are some workflows for BYOD you can employ if the devices are non-organization owned to bring them under your MDM control.

pminarik

If this is for guests, then there's nothing you can do. At best, disable authentication-redirect on HTTPS (it will just drop the traffic = no certificate warnings from attempted MITM for redirection purposes), and hope that the clients will probe for a captive portal using plain HTTP (AFAIK almost every device does). The FortiGate will have no trouble redirecting the HTTP request to the captive portal.

[ corrections always welcome ]
Cajuntank

"If this is for guests, then there's nothing you can do."... typically yes; however, depending on the circumstances, the BYOD workflow some MDM providers outline might be acceptable also, there are onboarding solutions that help with that certificate onboarding process for guest wireless situations.

Labels
Top Kudoed Authors