Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
raffaeledp
New Contributor II

Created on ‎07-01-2024 12:37 AM

Problem with custom deep inspection profile

Hello everybody,

I want to perform custom deep inspect, but I don't wanto to use the default FORTINET_CA_SLL certificate, so I decided to create a custom profile.

(I'm working on FortiOS 7.2.8)

I generated my certificates with Let's Encrypt, and I have 4 files:

cert.pem

chain.pem

fullchain.pem

privkey.pem

Some informations inside them are:

1) cert.pem

{
    "name": "\/CN=xyz.com",
    "subject": {
        "CN": "xyz.com"
    },
    "hash": "xyz",
    "issuer": {
        "C": "US",
        "O": "Let's Encrypt",
        "CN": "E5"
    },
    "version": 2,
    "serialNumber": "xyz",
    "serialNumberHex": "xyz",
    "validFrom": "240628134133Z",
    "validTo": "240926134132Z",
    "validFrom_time_t": 1719582093,
    "validTo_time_t": 1727358092,
    "signatureTypeSN": "ecdsa-with-SHA384",
    "signatureTypeLN": "ecdsa-with-SHA384",
    "signatureTypeNID": 795,
    "purposes": {
        "1": [
            true,
            false,
            "sslclient"
        ],
        "2": [
            true,
            false,
            "sslserver"
        ],
        "3": [
            false,
            false,
            "nssslserver"
        ],
        "4": [
            false,
            false,
            "smimesign"
        ],
        "5": [
            false,
            false,
            "smimeencrypt"
        ],
        "6": [
            false,
            false,
            "crlsign"
        ],
        "7": [
            true,
            true,
            "any"
        ],
        "8": [
            true,
            false,
            "ocsphelper"
        ],
        "9": [
            false,
            false,
            "timestampsign"
        ]
    },
    "extensions": {
        "keyUsage": "Digital Signature",
        "extendedKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
        "basicConstraints": "CA:FALSE",
        "subjectKeyIdentifier": "xyz",
        "authorityKeyIdentifier": "xyz",
        "authorityInfoAccess": "xyz",
        "subjectAltName": "DNS:*.xyz.com, DNS:xyz.com",
        "certificatePolicies": "xyz",
        "ct_precert_scts": "xyz"
    }
}

 

2) chain.pem

{
    "name": "\/C=US\/O=Let's Encrypt\/CN=E5",
    "subject": {
        "C": "US",
        "O": "Let's Encrypt",
        "CN": "E5"
    },
    "hash": "xyz",
    "issuer": {
        "C": "US",
        "O": "Internet Security Research Group",
        "CN": "ISRG Root X1"
    },
    "version": 2,
    "serialNumber": "xyz",
    "serialNumberHex": "xyz",
    "validFrom": "240313000000Z",
    "validTo": "270312235959Z",
    "validFrom_time_t": 1710288000,
    "validTo_time_t": 1804895999,
    "signatureTypeSN": "RSA-SHA256",
    "signatureTypeLN": "sha256WithRSAEncryption",
    "signatureTypeNID": 668,
    "purposes": {
        "1": [
            true,
            true,
            "sslclient"
        ],
        "2": [
            true,
            true,
            "sslserver"
        ],
        "3": [
            false,
            true,
            "nssslserver"
        ],
        "4": [
            false,
            false,
            "smimesign"
        ],
        "5": [
            false,
            false,
            "smimeencrypt"
        ],
        "6": [
            true,
            true,
            "crlsign"
        ],
        "7": [
            true,
            true,
            "any"
        ],
        "8": [
            true,
            true,
            "ocsphelper"
        ],
        "9": [
            false,
            true,
            "timestampsign"
        ]
    },
    "extensions": {
        "keyUsage": "Digital Signature, Certificate Sign, CRL Sign",
        "extendedKeyUsage": "TLS Web Client Authentication, TLS Web Server Authentication",
        "basicConstraints": "CA:TRUE, pathlen:0",
        "subjectKeyIdentifier": "xyz",
        "authorityKeyIdentifier": "xyz",
        "authorityInfoAccess": "xyz",
        "certificatePolicies": "xyz",
        "crlDistributionPoints": "xyz"
    }
}

Which of these certificate can I use inside the custom deep inspection profile instead of FORTINET_CA_SSL?

I suppose that I need one of these certificates inside the LOCAL CA CERTIFICATE section, but I'm not able to import any of them inside that section.

Thank you for your support!

 

RDP
RDP
143
0 Kudos
1 Solution
raffaeledp
New Contributor II

Created on ‎07-01-2024 12:51 AM

For anyone who has this kind of problem, this is the answer:

https://community.fortinet.com/t5/Support-Forum/SSL-Deep-Packet-Inspection-using-Let-s-Encrypt-Certi...

RDP

View solution in original post

RDP
134
3 REPLIES 3
raffaeledp
New Contributor II

Created on ‎07-01-2024 12:51 AM

For anyone who has this kind of problem, this is the answer:

https://community.fortinet.com/t5/Support-Forum/SSL-Deep-Packet-Inspection-using-Let-s-Encrypt-Certi...

RDP
RDP
135
Jean-Philippe_P
Moderator
Moderator
In response to raffaeledp

Created on ‎07-01-2024 03:08 AM

Thanks a lot for sharing it :)

Jean-Philippe - Fortinet Community Team
94
xionli2
New Contributor

Created on ‎07-01-2024 03:30 AM Edited on ‎07-02-2024 06:27 AM

Installing Fortigate cert is not fool proof. Some sites have protective measures against TLS inspection and it will stop Fortigate from doing TLS inspection. I think servers can do certificate pinning, so that the connection will see that certificate has been replaced by proxy or MITM attack https://xender.vip/ .

87
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.