Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Camshaft007
New Contributor

SSL-DPI FortiOS 5.4.1 - CA Issue

I'm having a problem where my FGT is injecting the "Fortinet Untrusted CA cert" instead of my Custom CA when inspecting traffic to certain websites.  Anyone else running into this problem?  After a very long call with TAC I think we have this issue nailed down to a bug with 5.4.1 and the introduction of the "Fortinet Untrusted CA Cert". 

 

" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds

" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds
4 REPLIES 4
Camshaft007
New Contributor

So, I feel like I should respond to this as we (TAC and I) were able to figure out what was going what happened. The "untrusted CA certificate" is a new feature in version 5.4.x.  If there is an issue with the certificate chain, the Fortigate will use the "Untrusted CA certificate" by default for SSL inspection.

 

Now this leaves you 2 options.. 1.) Deploy the "Untrusted CA Certificate" all over your environment.... no thank you.. 2.) Set the the "untrusted CA Cert" to your "Trusted CA Certificate" you're using for SSL-DPI. 

 

Personally I went with option 2, else you will be making "exceptions" for every single broken Certificate Chain your users come in contact with (form this number has only been 2 but I anticipate more).  Even if the site/url is malicous, the encrypted traffic will still be inspected and hopefully the FGT will keep out the bad stuff.

" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds

" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds
clarkg

How do you set the untrusted CA cert to your trusted cert?

emnoc
Esteemed Contributor III

How about replacing the  Untrustcert? You should do that by default

 

 

take a look at the following under ssl and certtificate

 

( defaults )

       set caname "Fortinet_CA_SSLProxy"

        set untrusted-caname "Fortinet_CA_Untrusted"

 

You can import your  trusted cert, and replace the  ssl inspection cert FWIW

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
clarkg
New Contributor

Is there a way to do it in the GUI?  I'm a moron when it comes to the CLI

Labels
Top Kudoed Authors