Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Rodrigo
New Contributor

Invalid CA Root Certificate when SSL Inspection is enabled

I have a FG100D with FortiOS 5.0.7 with SSL Inspection Enabled. I' ve choose in my DeepInspection Policy Fortigate_CA_SSLProxy as Signing CA certificate. But when I try to access to a secure web site, the client browser get a certificated issued by FG100DXXXXXXX (xxxxx is my serial number) instead of a certificated issued by Fortigate CA. Also the subject name is invalid (it doesn' t show the url of the visited site) i' ve create two Deep Inspection Policies with the same result - also I explicitily choose Fortigate_CA_SSLProxy from CLI -( config firewall deep... edit xxx set caname Fortigate_CA_SSLProxy)_. Is this some kind of bug from 5.0.7??? I don' t want to rollback to 5.0.6 for heartbleed.
Regards
Rodrigo
RegardsRodrigo
6 REPLIES 6
dannybruk
New Contributor

I am seeing the same, but only without deep inspection (ie I have the SSL Inspection policy enabled *and* I have ' scan encrypted connections' unticked). It is annoying as I don' t need deep scanning but do need to protect against https access for certain sites.
Bromont_FTNT
Staff
Staff

When not using deep SSL inspection there is no man-in-the-middle performed so allowed pages should not show any warnings, however blocked pages will show warnings... this is due to the Fortigate needing to replace that HTTPS page with the blocked page message which must be delivered over HTTPS, currently the Fortigate presents its own certificate (with CN=serial#) thus the warning. I believe a new feature in 5.2 will give the ability for page reset and/or m-i-t-m only for blocked pages... obviously to bypass warnings this would still require loading the Fortigate or DC CA certificate into the browser/Windows
ykonstantakopoulos

There' s a CLI command that can disable the replacement-message for HTTPS websites and the browser’s time-out message will be showed instead: config webfilter profile edit " your webfilter profile" set https-replacemsg disable end end
dannybruk
New Contributor

Thanks Bromont, ykonstantakopoulos. I don' t recall seeing the FGT S/N certificate before for blocked pages, only the CA Proxy certificate (which I have loaded on my test PC' s), maybe I have always had deep inspection on in the past?
MICAH_TENGWA
New Contributor

Please I need help ASAP, Please.

Most of our company websites are showing unsecured connection (invalid CA) instead of displaying the right CA information it insteads shows our fortigate serial number. Please help me out please

 

MT
MT
MICAH_TENGWA

We just upgraded from 5.4.5 to 6.0.2. we can't downgrade because we might cause more harm than good so please what could be the reason for this? 

MT
MT
Labels
Top Kudoed Authors