Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kish
New Contributor II

SSL Deep Packet Inspection using Let's Encrypt Certificate

Hi All, Can the Let's Encrypt Certificate (using ACME) be used for SSL deep packet inspection.  As of now, we are using Fortigate Self Signed certificate for SSL Inspection. But it is difficult to manage certificate installation for the guest users.

 

1 Solution
TecnetRuss
Contributor

Unfortunately (and fortunately), the answer is no and this will never be possible.

 

The LetsEncrypt certificates that you can easily obtain are always non-CA certificates.  Deep packet inspection requires a CA (certificate authority) certificate.  You'll notice this distinction when you see the way certificates are grouped in System / Certificates.  The "Local Certificates" section contains certificates that can be only used to sign specific websites or services (e.g. SSL VPN).  The "Remote CA Certificate" section contains certificates that can be used to sign/issue subordinate certificates, as Deep Packet Inspection does on the fly when it does man-in-the-middle on client HTTPS connections.

 

If it were that simple to obtain a free LetsEncrypt CA certificate that could be used to create certificates for any domain that are implicitly trusted by all devices I think you can imagine how this would completely undermine the entire certificate trust model.  It would allow anyone upstream of you to do a man-in-the-middle attack on your traffic and you would not see any warnings (like the warnings you see on guest devices without the FortiGate CA certificate in their Trusted CAs).  This power is restricted to just a few major 3rd parties (IdenTrust, DigiCert, Sectigo, etc.) and it's technically a good thing that it requires some effort to insert self-signed CA certificate on devices to disable these intentional warnings.

 

It's an admirable goal to do deep packet inspection on unmanaged guest devices, but it's never going to be as easy as on managed corporate devices.

 

Russ

NSE7

View solution in original post

2 REPLIES 2
TecnetRuss
Contributor

Unfortunately (and fortunately), the answer is no and this will never be possible.

 

The LetsEncrypt certificates that you can easily obtain are always non-CA certificates.  Deep packet inspection requires a CA (certificate authority) certificate.  You'll notice this distinction when you see the way certificates are grouped in System / Certificates.  The "Local Certificates" section contains certificates that can be only used to sign specific websites or services (e.g. SSL VPN).  The "Remote CA Certificate" section contains certificates that can be used to sign/issue subordinate certificates, as Deep Packet Inspection does on the fly when it does man-in-the-middle on client HTTPS connections.

 

If it were that simple to obtain a free LetsEncrypt CA certificate that could be used to create certificates for any domain that are implicitly trusted by all devices I think you can imagine how this would completely undermine the entire certificate trust model.  It would allow anyone upstream of you to do a man-in-the-middle attack on your traffic and you would not see any warnings (like the warnings you see on guest devices without the FortiGate CA certificate in their Trusted CAs).  This power is restricted to just a few major 3rd parties (IdenTrust, DigiCert, Sectigo, etc.) and it's technically a good thing that it requires some effort to insert self-signed CA certificate on devices to disable these intentional warnings.

 

It's an admirable goal to do deep packet inspection on unmanaged guest devices, but it's never going to be as easy as on managed corporate devices.

 

Russ

NSE7

Kish
New Contributor II

Thanks for your time to provide a detailed comment. It was good explanation.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors