Hello everybody,
I want to perform custom deep inspect, but I don't wanto to use the default FORTINET_CA_SLL certificate, so I decided to create a custom profile.
(I'm working on FortiOS 7.2.8)
I generated my certificates with Let's Encrypt, and I have 4 files:
cert.pem
chain.pem
fullchain.pem
privkey.pem
Some informations inside them are:
1) cert.pem
{
"name": "\/CN=xyz.com",
"subject": {
"CN": "xyz.com"
},
"hash": "xyz",
"issuer": {
"C": "US",
"O": "Let's Encrypt",
"CN": "E5"
},
"version": 2,
"serialNumber": "xyz",
"serialNumberHex": "xyz",
"validFrom": "240628134133Z",
"validTo": "240926134132Z",
"validFrom_time_t": 1719582093,
"validTo_time_t": 1727358092,
"signatureTypeSN": "ecdsa-with-SHA384",
"signatureTypeLN": "ecdsa-with-SHA384",
"signatureTypeNID": 795,
"purposes": {
"1": [
true,
false,
"sslclient"
],
"2": [
true,
false,
"sslserver"
],
"3": [
false,
false,
"nssslserver"
],
"4": [
false,
false,
"smimesign"
],
"5": [
false,
false,
"smimeencrypt"
],
"6": [
false,
false,
"crlsign"
],
"7": [
true,
true,
"any"
],
"8": [
true,
false,
"ocsphelper"
],
"9": [
false,
false,
"timestampsign"
]
},
"extensions": {
"keyUsage": "Digital Signature",
"extendedKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
"basicConstraints": "CA:FALSE",
"subjectKeyIdentifier": "xyz",
"authorityKeyIdentifier": "xyz",
"authorityInfoAccess": "xyz",
"subjectAltName": "DNS:*.xyz.com, DNS:xyz.com",
"certificatePolicies": "xyz",
"ct_precert_scts": "xyz"
}
}
2) chain.pem
{
"name": "\/C=US\/O=Let's Encrypt\/CN=E5",
"subject": {
"C": "US",
"O": "Let's Encrypt",
"CN": "E5"
},
"hash": "xyz",
"issuer": {
"C": "US",
"O": "Internet Security Research Group",
"CN": "ISRG Root X1"
},
"version": 2,
"serialNumber": "xyz",
"serialNumberHex": "xyz",
"validFrom": "240313000000Z",
"validTo": "270312235959Z",
"validFrom_time_t": 1710288000,
"validTo_time_t": 1804895999,
"signatureTypeSN": "RSA-SHA256",
"signatureTypeLN": "sha256WithRSAEncryption",
"signatureTypeNID": 668,
"purposes": {
"1": [
true,
true,
"sslclient"
],
"2": [
true,
true,
"sslserver"
],
"3": [
false,
true,
"nssslserver"
],
"4": [
false,
false,
"smimesign"
],
"5": [
false,
false,
"smimeencrypt"
],
"6": [
true,
true,
"crlsign"
],
"7": [
true,
true,
"any"
],
"8": [
true,
true,
"ocsphelper"
],
"9": [
false,
true,
"timestampsign"
]
},
"extensions": {
"keyUsage": "Digital Signature, Certificate Sign, CRL Sign",
"extendedKeyUsage": "TLS Web Client Authentication, TLS Web Server Authentication",
"basicConstraints": "CA:TRUE, pathlen:0",
"subjectKeyIdentifier": "xyz",
"authorityKeyIdentifier": "xyz",
"authorityInfoAccess": "xyz",
"certificatePolicies": "xyz",
"crlDistributionPoints": "xyz"
}
}
Which of these certificate can I use inside the custom deep inspection profile instead of FORTINET_CA_SSL?
I suppose that I need one of these certificates inside the LOCAL CA CERTIFICATE section, but I'm not able to import any of them inside that section.
Thank you for your support!
Solved! Go to Solution.
For anyone who has this kind of problem, this is the answer:
For anyone who has this kind of problem, this is the answer:
Thanks a lot for sharing it :)
Installing Fortigate cert is not fool proof. Some sites have protective measures against TLS inspection and it will stop Fortigate from doing TLS inspection. I think servers can do certificate pinning, so that the connection will see that certificate has been replaced by proxy or MITM attack https://xender.vip/ .
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.