Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BK_LGW
New Contributor

SSL/SSH Inspection Challenge - Invalid Digital Signature

Hello all. I'm experiencing some difficulties with using Web Filtering and SSL Inspection. My test policy has blocked the usual culprits (social media, gambling, porn, etc.) and I have a test machine and user going to the Internet via the policy.  This is what I've done:

- Acquired root and subordinate CA certs from my sub ca server, imported them into FGT as root and sub CAs respectively.

- Created a local CA for the FGT via the Issuing server (my sub ca server)

- Created an SSH/SSL Inspection profile utilizing the local CA object 

- Created a Web Filter profile blocking the usual suspects

- Created policy outlining both the SSL Inspection and Web Filter profiles and made it so only a single user/PC combo hits it

 

Below are some of the issues I'm having with some websites. Others are blocked and show the block page as expected. All HTTPS websites. What am I doing wrong?

8 REPLIES 8
Dave_Hall
Honored Contributor

Has the security cert been imported into the browser of the client (test) workstation?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
BK_LGW

Thank you for your quick reply. The root and sub ca certs were already in the Trusted Root CA and Intermediate CA stores due to AD membership. I manually imported the FGT's local cert into the Intermediate CA store. I've been using MS Edge and Internet Explorer which I believe uses the PC's certificate stores, so yes, it should be seen by the test client.

emnoc
Esteemed Contributor III

The output clearly says other wise. Is the certificate ( root/subca ) trusted by that machine and browser? Also if is FF it does not use the OS cert-store.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
BK_LGW
New Contributor

Thanks, Ken. What's strange is that the appropriate block page does show up for some pages with the same configuration.

Admittedly, the block page does say "Not secure" as well. I'm not sure if that's by design or not. How can I show you beyond a doubt that the certificates are trusted?

 

emnoc
Esteemed Contributor III

That error is typically one of the follow

 

 

[ul]
  • Authority certificate may expire, not trusted,etc..
  • Browser security settings[/ul]

     

    Ken Felix

  • PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    Dave_Hall
    Honored Contributor

     

    May or may not apply, but had this KB#FD37342 bookmarked with the intent to test it out to resolve an issue we were having in the past.   For us it wasn't so much the cert on the original page/site but was the cert on the popup override page.

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
    BK_LGW

    Dave Hall wrote:

     

    May or may not apply, but had this KB#FD37342 bookmarked with the intent to test it out to resolve an issue we were having in the past.   For us it wasn't so much the cert on the original page/site but was the cert on the popup override page.

    Thank you, Dave. I haven't used any kind of override in my own config, but just to confirm, the cert from the override page would be the one from the FGT acting as the MITM, yes? Even then, the proposed fix wouldn't apply to my situation, I think.

    BK_LGW
    New Contributor

    emnoc wrote:

    That error is typically one of the follow

     

     

    [ul]
  • Authority certificate may expire, not trusted,etc..
  • Browser security settings[/ul]

     

    Ken Felix

  • Thank you, Ken. The issue persist, even though I followed this post to set it up (https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/680736/microsoft-ca-deep-packet-inspecti...). I can't see how it would be the browser security settings when twitter.com causes the error but other pages like instagram.com and gambling.com are blocked properly, meaning the block page shows as expected. Wouldn't the fact that those work without issue also mean that the certificate from FGT and higher CAs are indeed trusted?

    Labels
    Top Kudoed Authors