Root-CA Import for SSL-Inspection

Fortiuser · ‎03-02-2015

Hi all,

we have enabled deep SSL-Inspection on FG100D Cluster. Everything works fine by now, except full validation of certificates presented by the remoteserver. For example, all self-signed certificates on remote-servers are accepted by Fortigate, because there ist no issuer validation (try with test on https://filippo.io/Badfish/). I found the CLI-setting "ssl-ca-list", which should solve this problem by verifying server certificates against stored CA-Cert list in Fortigate. But - how can I import ANY trusted Root-CA certs in Fortigate, like browsers have? Is it possible to import a "trusted root-CA-package" or something like that? Thank you!

Jeff_FTNT · ‎03-18-2015

FGT GUI can import ca certificate bundle file.

Normally "ssl-ca-list " is disable by default, no need to enable.You just make your browser trust CA certificate in deep scan "ssl-ssh-profile " of "caname". it is common use case.

If "ssl-ca-list enable", it will force FGT check full certificate chain , it will need import Root CA certificate into FGT.

Unless you want more check, disable "ssl-ca-list" will good enough.Thanks.

View solution in original post

Shawn_W · ‎03-17-2015

any update?

Jeff_FTNT · ‎03-17-2015

Yes, you can import CA from GUI:Certificates->CA Certificates, thanks.

Fortiuser · ‎03-18-2015

Jeff_FTNT wrote:
Yes, you can import CA from GUI:Certificates->CA Certificates, thanks.

Thank you. I know this option in the GUI, but how I can import multiple CAs in one step? For example, when I take a look in Firefox CA-Certs, I can see about 290 trusted Root-CAs!

Deep SSL inspection with Fortigate ist not usefull, unless I have a possibility to manage my root-CAs in a prudent way. And deep-inspection without validating the issuer of remoteserver certs (which is the default setting!) results in vulnerability for man-in-the-middle attacks and non-serious webservers. Please correct me if I am wrong...

Jeff_FTNT · ‎03-18-2015

FGT GUI can import ca certificate bundle file.

Normally "ssl-ca-list " is disable by default, no need to enable.You just make your browser trust CA certificate in deep scan "ssl-ssh-profile " of "caname". it is common use case.

If "ssl-ca-list enable", it will force FGT check full certificate chain , it will need import Root CA certificate into FGT.

Unless you want more check, disable "ssl-ca-list" will good enough.Thanks.

Fortiuser · ‎03-24-2015

Jeff_FTNT wrote:
FGT GUI can import ca certificate bundle file.

That was the decisive tipp for me! I exported a full CA-list from Firefox, merged all .crt files in one big crt and imported this crt in Fortigate - done. I know, that I have to manage the CA-certs in Fortigate by myself now, but this is much better than nothing. Thank you Jeff!

AlexFeren · ‎11-25-2015

Fortiuser wrote:
I know, that I have to manage the CA-certs in Fortigate by myself now...

You'd know our local CAs, but what about Public CAs? Would you have copied Roort Certificates from Windows certmgr.msc's "Trusted Root Certificate Authorities" or Firefox's Certificate store "Authorities"?

Root-CA Import for SSL-Inspection

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website