Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
woltehrtl
New Contributor

Question about certificate inspection

Sorry guys I started with firewalls recently and I am doing the nse4 course but I am bit confused about this topic.

1:In deep inspection fortigate do this to validate te certificate : Verifies his revocation list, ca certificate possession,validade the dates and digital signature, is this correct ?

2- in ssl certificate inspection validades the same using the SNI that the clients sends in the TLS handshake ? fortigate will validate as well ""date,signature,etc" but using the SNI , is it correct ?

3-What is the certificate bundle ? for example I know that fortigate utlizes the Mozila Root CA list, the certificate bundle is this? is the root ca list ?

4-This one is more general question, why the same web site can have different certifica path in different web browsers ? for example i open a site that the intermediate ca was different in firefox and chrome, because if I understand the server will send his ca that is signed by a intermediate ca and this ca is signed by a root ca. But this website I had a different path in different web browsers.

 

Thank you in advance for any help

router login 192.168.l.l
2 REPLIES 2
AlexC-FTNT
Staff
Staff

I'd say:

1.yes

2.yes

3. that would be the trusted CA list 

4. because the site certificates are sometimes cross-signed and each browser does its independent security check. So it may reach different results depending which CA auth is checking against


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
pminarik

I'll just add that:

 

1, Neither CRL or OCSP-based revocation checks are done by default.

CRLs need to be imported manually first (for any interesting CA), OCSP needs to be enabled in "config vpn certificate setting" (ocsp-status etc.).

 

2, SNI check can be directly controlled in newer firmware versions with the "Server certificate SNI check" option (GUI):

SNI check GUI snippetSNI check GUI snippet

 

[ corrections always welcome ]
Labels
Top Kudoed Authors