Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jirka1
Contributor III

SSL Deep - Chrome - NET :: ERR_CERT_WEAK_SIGNATURE_ALGORITHM

Hi,

 

in the month we will switch from 100D to 200E. The network is about 600PC, a bit rate of around 300Mbps and 8-12,000 connections. In terms of auditing (OneDrive blocking, file transfer over Skype, etc.) and security we want to implement SSL deep inspection. We run a Windows domain, so I tested a SelfSigned certificate using Web Enrollment Services http://kb.fortinet.com/kb...ateId=1%200%2052652981

 

The idea is that I would distribute this certificate using GPO to the stations - I'm primarily concerned about minimal manual interference at the end stations. I was really surprised that IE, Edge, Thunderbird, Outlook have no problem with this and are working reliably. The problem is set in Chrome: NET :: ERR_CERT_WEAK_SIGNATURE_ALGORITHM

because SHA-1. How do you solve this problem?

 

Thanks

Jirka

3 REPLIES 3
Elthon_Abreu
Contributor

Hi Jirka,

 

I have solved that limiting my Chrome to use TLS 1.2 and 1.1. I should try it.

 

Best regards.

Elthon Abreu FCNSA v5

Elthon Abreu FCNSA v5
Jirka1

 Hey Elthnon,

 

TLS is enabled but it has no effect - see screenshot. Any next idea? So how do you effectively deploy and run a deep SSL inspection in a corporate environment and a lot of computers? Thanks Jirka

Jirka1
Contributor III

azh wrote:

Hello,

 

You can update CA certificate from SHA-1 to SHA-256 like in this video - https://www.youtube.com/watch?v=KSrkWmeUcXw 

After you can install new CA certificate with SHA-256 via GPO to all your domain PCs. 

 

Hope it helps ;)

 

zhunissov4,

you are a star! It works wonderfully! Thank you very much for your help

 

Jirka

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors