SSL deep inspection with external certificate

lalu · ‎09-27-2021

Hi, I want to install a certificate issued by an external CA, so as to be recognized automatically by browsers.

1. Under System -> Certificates I created and downloaded the CSR 2. At the external CA, I created the CRT certificate. 3. I imported the CRT certificate

Everything seems to be installed correctly, but when I go under Security Profiles -> SSL/SSH inspections -> deep inspection, I cannot select my certificate (see image link). I see only the default Fortinet_CA_SSL certificate.

https://www.screencast.com/t/1TKXu4dRmUws

Why? What am I doing wrong?

thank you

Best regards

Luca

TecnetRuss · ‎09-28-2021

You can only use a Certificate Authority (CA) certificate with deep packet inspection. You cannot use a regular certificate. You'll notice that CA certificates and non-CA certificates are grouped separately under System / Certificates. It is simply not possible to purchase a 3rd party browser-trusted CA certificate that would allow your FortiGate to act as a CA and issue any domain's certificate to clients.

The way deep packet inspection is typically deployed is that the FortiGate's CA certificate is installed on all DPI-protected systems. On Windows domain systems you can do this easily with Group Policy. With an MDM solution you can push the certificate out to managed mobile devices quite easily too. For unmanaged devices it has to be done manually, which is why DPI is not usually used on guest networks.

Russ

NSE7

SSL deep inspection with external certificate

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website