Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

SSL Deep Inspection with iOS devices (iPhone; iPad)

Hey Guys, 


Hope someone can shed some light on this problem. So I want to enable SSL deep inspection for devices on my network. Windows stations with the CA cert pushed via group policy or installed manually work great and I can control all the aspects I want with deep inspection (safe search, etc...). I also want to provide the certificate to our WIFI users, most of them being students with their own devices.


I have the cert provided via download link on the captive portal page for the WIFI. Download link works fine, and Windows users are able to download it, install it and off they go. However, I go through the steps with an iPhone whether I used .cer file, .p12 or .pfx .. the file downloads, I can install it and it tells me the cert is verified but I still get certificate errors when browsing https websites, also app store, etc... won't load. 


Any ideas? TIA


Hello marsmat,


Are you able to browse some sites like let's say on Safari? On iOS, with deep-inspection, you have to exempt some apple domains from deep-inspection because of Certificate Pinning. In the default deep-inspection profile in FortiOS 5.6, we have some default address groups exempted. 


With the native iTunes and Apple store, if you do not have the apple domains exempted, they will not work. Can you try adding the exemptions? It is hard for browsers to do Certificate Pinning, therefore, if you want to find out if the installation of the Certificate is done correctly, you can try to access some HTTPS sites on a browser application.




When I go to an HTTPS enabled site in Safari, such as Facebook, the site simply does not display. When I go to the same sites in Chrome it will give me a certificate warning and allow me to proceed if I choose too. 


I will try adding the apple domains to the exemptions and try the App Store, etc...


*** EDIT : Exemptions work, I made wildcard entries for *, * and *  and they now function. If I put an exemption for Facebook (social networking category) it will also work. ***


Thanks for the input.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors