Hello
I'm trying to set up a SSL Inspection Profile for a Server behind our Fortigate but as soon as I activate the SSL Profile I get an error for the Website that it's not been trusted. SSL Inspection Options is set to Protecting SSL Server.
If I activate the SSL Profile on the Policy and check on https://www.digicert.com/help/ I get following error:
"The Certificate is not issued by DigiCert, GeoTrust, Thawte, or RapidSSL" and the Serial Number which is shown for the Certificate I can't find under Certificates
I uploaded the Wildcard Certificate with Private Key to the Local Certificate and I can see it there. I also see the Intermediate Cert in the Remote CA Cerificate section. Do I have to upload the Root Cert as Remote Certificate to work or what could be the Problem?
I would appreciate your help!
Hi
Hi
Yes I did select the right Certificate in the Profile.
I also tried with different Browsers. In the Certificate Viewer on the Browser it says that the Certificate was issued by Fortinet. Even though I selected the Server Certificate I uploaded.
I uploaded the Wildcard Certificate by itself. Do I have to upload the whole Certificate Chain in one File to the Fortigate?
Thank you
Hi
Then this is not a certificate chain issue. If your browser said it is using Fortinet issued certificate then the traffic is probably handled by a policy that is not using the right SSL profile.
On the other hand (but this is not the cause of your issue), as per my knowledge, usually public certificates are provided with the whole certificate chain in one file. Just check your certificate properties under FGT menu/ System > Certificates). Otherwise it is better to upload it since not all client types accept a certificate without the whole chain.
I uploaded the whole Certificate Chain now and in the Log I can see that it takes the right Policy. As soon as I activate the SSL Profile with the Certificate the Website doesn't "work" anymore. If I check the Certificate it shows me a Fortinet Cert but the Serialnumber of this Certificate I can't even find under Certificates.
Also If I check https://www.digicert.com/help/ it shows me "The Certificate is not issued by DigiCert, GeoTrust, Thawte, or RapidSSL" and also some Serialnumber I don't know.
Which FortiOS version?
Can you also post a screenshot of both your SSL inspection profile and the firewall policy?
We have FortiOS 7.2.4
Following the SSL Profile and the FW Policy
If I check the Website after I activate the Firewall Rule with SSL Profile I see this:
If I check the site on https://www.digicert.com/help/ I get following error. Also the Serialnumber which is shown I can't find in the Certificate Section on the Fortigate
There are some related issues fixed in later patches.
First I'd recommend to patch your FortiGate to 7.2.7.
884578 - Unexpected behavior in WAD caused by enabling HTTP/2 while using virtual servers.
895962 - Intermittent behavior in WAD during SSL renegotiation while using virtual servers.
853864 - FortiGate out-of-band certificate check issue occurs in a proxy mode policy with SSL inspection.
Yes Sorry my bad I misstyped we are on Version 7.2.7
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.