Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ObedKABO
New Contributor

Created on ‎12-12-2024 04:02 AM

SSL Inspection

Hi there,

 

I have a problem with my FortiGate 100F, I have deployed a web application server with a certificate from digiCert and internally everything works, the certificate is well installed, but when external users connect to it there is a problem with the certificate because FortGate uses its default certificate and there is a warning, I have also imported my certificate but when I want to fix it on the FortiGate there is an error, I need help because most of the users will be external and I need there to be no warning associated with the certificate.

 

Thanks,

Kabongo Obed
Kabongo Obed
Labels:
288
0 Kudos
6 REPLIES 6
adambomb1219
SuperUser
SuperUser

Created on ‎12-12-2024 04:19 AM

Do you actually want to decrypt this flow?  

280
ObedKABO
New Contributor

Created on ‎12-12-2024 04:26 AM

I imported the certificate into FortiGate, which worked fine.

I selected it for use in https and it's working fine so far.

However, the FGT won't let me select this certificate for use with SSL inspection. I can only select the one built into the FortiGate and none of the others installed.

Any idea why?

Kabongo Obed
Kabongo Obed
266
0 Kudos
pminarik
Staff
Staff
In response to ObedKABO

Created on ‎12-12-2024 06:25 AM Edited on ‎12-12-2024 06:29 AM

Edit the SSL inspection profile and review the option "Enable SSL inspection of":

 

2024-12-12 15_20_36-Window.png

 

"Multiple Clients Connecting to Multiple Servers":

  • Can only choose from CA-type certificates (not something you can regularly purchase)
  • Intended for broad deep-inspection of many non-specified destinations
  • The prototypical use-case is filtering outgoing internet traffic of local users

 

"Protecting SSL Server":

  • Can choose one of existing/imported non-CA certificates.
  • Can be applied to individual servers only (one or multiple, depending on the SAN field of the certificate, i.e. what specific domains it is valid for)
  • The prototypical use-case is applying protection on a local server for client traffic coming from the internet.

Given your description, you most likely want an SSL inspection profile in the second mode of operation.

[ corrections always welcome ]
231
dingjerry_FTNT
Staff
Staff
In response to ObedKABO

Created on ‎12-12-2024 07:03 AM

Hi @ObedKABO ,

 

I am pretty sure that your certificate is not "CA:TRUE":

 

dingjerry_FTNT_0-1734015689826.png

 

Even if your certificate is a "CA:TRUE" one, you can't buy it from any public CA authority provider. The client has to install the root certificate of this certificate to trust it.

Regards,

Jerry
206
ezhupa
Staff
Staff
In response to ObedKABO

Created on ‎12-12-2024 07:47 AM

Hello,

 

In order for the cert to be used in SSL Inspection, you would need the cert to have CA: TRUE flag so it can inspect the traffic and decrypt it. If that is not the case then you cannot use the particular cert in your SSL Inspection profile. 

175
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎12-13-2024 01:50 AM

yes you need CA:TRUE (i.e. a CA or SubCA Certificate) for Deep packet inspection. This is because of the way this functions. DPI works man-in-the-middle, that means the FGT has to decrypt the traffic, inspect it and then re-encrypt it to pass it on to the client. It cannot do re-encryption with the original cert because it doesn't have the private key of that. Also it needs to re-encrypt traffic with a cert that contains serveral details of the original one (like Common Name or Subject Alternate Name(s)). Due to this it needs a certificate that it can user to sign a new certificate that contains the above mentioned data and then use that to re-encrypt the traffic. And this can only be done with a certificate that has CA:True. And yes like said above, you cannot buy such certificates (or you cannot afford the conditions needed) so you will have to use a self signed one. This has the consequence that in order to avoid browser warnings every client will have to have the CA/SubCA used by the Fortigate installed as trusted certificate authority.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
123
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.