Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lalu
New Contributor II

SSL deep inspection with external certificate

Hi, I want to install a certificate issued by an external CA, so as to be recognized automatically by browsers.

 

1. Under System -> Certificates I created and downloaded the CSR 2. At the external CA, I created the CRT certificate. 3. I imported the CRT certificate

 

Everything seems to be installed correctly, but when I go under Security Profiles -> SSL/SSH inspections -> deep inspection, I cannot select my certificate (see image link). I see only the default Fortinet_CA_SSL certificate.

https://www.screencast.com/t/1TKXu4dRmUws

 

Why? What am I doing wrong?

 

thank you

Best regards

Luca

1 REPLY 1
TecnetRuss
Contributor

You can only use a Certificate Authority (CA) certificate with deep packet inspection.  You cannot use a regular certificate.  You'll notice that CA certificates and non-CA certificates are grouped separately under System / Certificates.  It is simply not possible to purchase a 3rd party browser-trusted CA certificate that would allow your FortiGate to act as a CA and issue any domain's certificate to clients.

 

The way deep packet inspection is typically deployed is that the FortiGate's CA certificate is installed on all DPI-protected systems.  On Windows domain systems you can do this easily with Group Policy.  With an MDM solution you can push the certificate out to managed mobile devices quite easily too.  For unmanaged devices it has to be done manually, which is why DPI is not usually used on guest networks.

 

Russ

NSE7

Labels
Top Kudoed Authors