Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sw2090
SuperUser
SuperUser

Created on ‎02-22-2018 07:03 AM

SSL Inspection - Certificate not usable

Hi,

 

following constellation:

 

We have a FortiGate 100E running here. I created a CSR on it to have that signed by our internal CA. I then imported the certificicate to the fortigate which all worked fine. 

I selected it for to use it for https and that works fine so far. It does do https with that cert and I do not get any more Browser warning (since all our clients know our CA).

However the FGT denies me to select that cert for use with SSL Inspection. I can onyl choose the FortiNet built in one here and none of the others installed.

Does anyone have a tip why that is?

 

FGT runs FortiOS 5.4.x and our CA runs on Wind*ws btw.

FGT is not part of a HA Cluster, a FortiManager or a Fabric..just standalone.

 

Cheers

Sebastian

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
16035
0 Kudos
1 Solution
EMES
Contributor

Created on ‎02-22-2018 12:25 PM

You probably signed the certficate using IIS template or web server template. For SSL decryption it needs to be either CA or SubCA. When you sign it in your CA select the Subordinate certificate authority template. It needs to be a CA/SubCA in order to generate certificates on the fly when decrypting.

 

Hope that helps

View solution in original post

4586
4 REPLIES 4
EMES
Contributor

Created on ‎02-22-2018 12:25 PM

You probably signed the certficate using IIS template or web server template. For SSL decryption it needs to be either CA or SubCA. When you sign it in your CA select the Subordinate certificate authority template. It needs to be a CA/SubCA in order to generate certificates on the fly when decrypting.

 

Hope that helps

4587
emnoc
Esteemed Contributor III
In response to EMES

Created on ‎02-22-2018 04:46 PM

Suggestion load the cert in  a webbrowser or  use  OpenSSL, does it say a CA true or CA?

 

see attachment  of the line in  cert details to  look at.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
cert.jpg
Preview file
31 KB
4539
0 Kudos
sw2090
SuperUser
SuperUser
In response to EMES

Created on ‎02-22-2018 11:52 PM

Yeah, thanks for the tip!

That did the trick :) You need to know you need a (sub)CA here. Unfortunately neither the Fortinet Cookbook nor any howto I found on the net mentioned this :(

 

many cudos to you :)

 

ty

Sebastian

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
4539
0 Kudos
JP20xx
New Contributor
In response to sw2090

Created on ‎06-29-2022 10:29 PM

Do you know how to do this with openssl? 

I only manage to do it with windows server.

 

Regards, 

3232
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.