Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
raffaeledp
Contributor

Problem with custom deep inspection profile

Hello everybody,

I want to perform custom deep inspect, but I don't wanto to use the default FORTINET_CA_SLL certificate, so I decided to create a custom profile.

(I'm working on FortiOS 7.2.8)

I generated my certificates with Let's Encrypt, and I have 4 files:

cert.pem

chain.pem

fullchain.pem

privkey.pem

Some informations inside them are:

1) cert.pem

{
    "name": "\/CN=xyz.com",
    "subject": {
        "CN": "xyz.com"
    },
    "hash": "xyz",
    "issuer": {
        "C": "US",
        "O": "Let's Encrypt",
        "CN": "E5"
    },
    "version": 2,
    "serialNumber": "xyz",
    "serialNumberHex": "xyz",
    "validFrom": "240628134133Z",
    "validTo": "240926134132Z",
    "validFrom_time_t": 1719582093,
    "validTo_time_t": 1727358092,
    "signatureTypeSN": "ecdsa-with-SHA384",
    "signatureTypeLN": "ecdsa-with-SHA384",
    "signatureTypeNID": 795,
    "purposes": {
        "1": [
            true,
            false,
            "sslclient"
        ],
        "2": [
            true,
            false,
            "sslserver"
        ],
        "3": [
            false,
            false,
            "nssslserver"
        ],
        "4": [
            false,
            false,
            "smimesign"
        ],
        "5": [
            false,
            false,
            "smimeencrypt"
        ],
        "6": [
            false,
            false,
            "crlsign"
        ],
        "7": [
            true,
            true,
            "any"
        ],
        "8": [
            true,
            false,
            "ocsphelper"
        ],
        "9": [
            false,
            false,
            "timestampsign"
        ]
    },
    "extensions": {
        "keyUsage": "Digital Signature",
        "extendedKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
        "basicConstraints": "CA:FALSE",
        "subjectKeyIdentifier": "xyz",
        "authorityKeyIdentifier": "xyz",
        "authorityInfoAccess": "xyz",
        "subjectAltName": "DNS:*.xyz.com, DNS:xyz.com",
        "certificatePolicies": "xyz",
        "ct_precert_scts": "xyz"
    }
}

 

2) chain.pem

{
    "name": "\/C=US\/O=Let's Encrypt\/CN=E5",
    "subject": {
        "C": "US",
        "O": "Let's Encrypt",
        "CN": "E5"
    },
    "hash": "xyz",
    "issuer": {
        "C": "US",
        "O": "Internet Security Research Group",
        "CN": "ISRG Root X1"
    },
    "version": 2,
    "serialNumber": "xyz",
    "serialNumberHex": "xyz",
    "validFrom": "240313000000Z",
    "validTo": "270312235959Z",
    "validFrom_time_t": 1710288000,
    "validTo_time_t": 1804895999,
    "signatureTypeSN": "RSA-SHA256",
    "signatureTypeLN": "sha256WithRSAEncryption",
    "signatureTypeNID": 668,
    "purposes": {
        "1": [
            true,
            true,
            "sslclient"
        ],
        "2": [
            true,
            true,
            "sslserver"
        ],
        "3": [
            false,
            true,
            "nssslserver"
        ],
        "4": [
            false,
            false,
            "smimesign"
        ],
        "5": [
            false,
            false,
            "smimeencrypt"
        ],
        "6": [
            true,
            true,
            "crlsign"
        ],
        "7": [
            true,
            true,
            "any"
        ],
        "8": [
            true,
            true,
            "ocsphelper"
        ],
        "9": [
            false,
            true,
            "timestampsign"
        ]
    },
    "extensions": {
        "keyUsage": "Digital Signature, Certificate Sign, CRL Sign",
        "extendedKeyUsage": "TLS Web Client Authentication, TLS Web Server Authentication",
        "basicConstraints": "CA:TRUE, pathlen:0",
        "subjectKeyIdentifier": "xyz",
        "authorityKeyIdentifier": "xyz",
        "authorityInfoAccess": "xyz",
        "certificatePolicies": "xyz",
        "crlDistributionPoints": "xyz"
    }
}

Which of these certificate can I use inside the custom deep inspection profile instead of FORTINET_CA_SSL?

I suppose that I need one of these certificates inside the LOCAL CA CERTIFICATE section, but I'm not able to import any of them inside that section.

Thank you for your support!

 

RDP
RDP
1 Solution
raffaeledp
Contributor

RDP
3 REPLIES 3
raffaeledp
Contributor

RDP
Jean-Philippe_P

Thanks a lot for sharing it :)

Jean-Philippe - Fortinet Community Team
xionli2
New Contributor

Installing Fortigate cert is not fool proof. Some sites have protective measures against TLS inspection and it will stop Fortigate from doing TLS inspection. I think servers can do certificate pinning, so that the connection will see that certificate has been replaced by proxy or MITM attack https://xender.vip/ .

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors