Hi there,
I have a problem with my FortiGate 100F, I have deployed a web application server with a certificate from digiCert and internally everything works, the certificate is well installed, but when external users connect to it there is a problem with the certificate because FortGate uses its default certificate and there is a warning, I have also imported my certificate but when I want to fix it on the FortiGate there is an error, I need help because most of the users will be external and I need there to be no warning associated with the certificate.
Thanks,
Do you actually want to decrypt this flow?
I imported the certificate into FortiGate, which worked fine.
I selected it for use in https and it's working fine so far.
However, the FGT won't let me select this certificate for use with SSL inspection. I can only select the one built into the FortiGate and none of the others installed.
Any idea why?
Created on 12-12-2024 06:25 AM Edited on 12-12-2024 06:29 AM
Edit the SSL inspection profile and review the option "Enable SSL inspection of":
"Multiple Clients Connecting to Multiple Servers":
"Protecting SSL Server":
Given your description, you most likely want an SSL inspection profile in the second mode of operation.
Hi @ObedKABO ,
I am pretty sure that your certificate is not "CA:TRUE":
Even if your certificate is a "CA:TRUE" one, you can't buy it from any public CA authority provider. The client has to install the root certificate of this certificate to trust it.
Hello,
In order for the cert to be used in SSL Inspection, you would need the cert to have CA: TRUE flag so it can inspect the traffic and decrypt it. If that is not the case then you cannot use the particular cert in your SSL Inspection profile.
yes you need CA:TRUE (i.e. a CA or SubCA Certificate) for Deep packet inspection. This is because of the way this functions. DPI works man-in-the-middle, that means the FGT has to decrypt the traffic, inspect it and then re-encrypt it to pass it on to the client. It cannot do re-encryption with the original cert because it doesn't have the private key of that. Also it needs to re-encrypt traffic with a cert that contains serveral details of the original one (like Common Name or Subject Alternate Name(s)). Due to this it needs a certificate that it can user to sign a new certificate that contains the above mentioned data and then use that to re-encrypt the traffic. And this can only be done with a certificate that has CA:True. And yes like said above, you cannot buy such certificates (or you cannot afford the conditions needed) so you will have to use a self signed one. This has the consequence that in order to avoid browser warnings every client will have to have the CA/SubCA used by the Fortigate installed as trusted certificate authority.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1759 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.