Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
newNetwork
New Contributor

Created on ‎01-02-2015 03:29 AM

SSL inspection Certificate mystery

is it possible to use a verisign (or any other CA) for SSL inspection(web filtering, appcontrol) , in order to get rid of annoying certificate warning on https sites when using the inbuilt fortigate CA ssl proxy certificate.

If yes what type of certificate needs to be bought , a single ssl certificate etc....

from this discussion ,  i am doubtful about the possibility. 

 

Apart from this i see no other way , by which the https certificate warning can be avoided completely. as smartphone, tabs , ipads are never part of domain so its not possible to use active directory infra to push local certificate and its a tedious task to install fortigate ssl proxy cert manually on every single device.

 

7058
0 Kudos
1 Solution
Bromont_FTNT
Staff
Staff
In response to Silver

Created on ‎02-17-2015 05:28 AM

 

If a public CA started handing out signing certificates that people could use for SSL inspection the first thing I would do is remove their root from my browser store. Certificates are about trust... how can I trust a CA that lets others do SSL inspection on any site?

View solution in original post

2557
0 Kudos
7 REPLIES 7
emnoc
Esteemed Contributor III

Created on ‎01-02-2015 04:23 AM

The short answer is no, this is what SSL is suppose to do, give you  or let me re-phrase " the end-user the warning " & then he/she can make the validation to proceed after being warned.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2527
0 Kudos
vmartin_FTNT
Staff
Staff

Created on ‎01-06-2015 11:05 AM

You can use a custom certificate for SSL inspection, instead of the default FortiGate cert. You can find instructions for how to do this here: http://cookbook.fortinet.com/preventing-certificate-warnings/#custom

Technical Writer, FortiOS

Let me know if there's anything you want to see added to the FortiGate Cookbook.

2527
0 Kudos
lunhas2k4
New Contributor II

Created on ‎02-06-2015 04:09 PM

Hi,

 

Which version of the fortiOS are you using. After thinkering a little bit and a couple of forums found a solution for 5.2.1 and 5.2.2. I only the certificate issue on sites that are actually being barred from use.

 

Is that what you are looking for?

 

 

Carlitos loves firewalls

NSE4 (5.4,6.0)

NSE5 (Fortimanager 6.0, Fortianalyzer 6.0)

NSE7 (Enterprise Firewall 6.0)

Carlitos loves firewalls NSE4 (5.4,6.0) NSE5 (Fortimanager 6.0, Fortianalyzer 6.0) NSE7 (Enterprise Firewall 6.0)
2527
0 Kudos
Silver
New Contributor

Created on ‎02-16-2015 04:47 AM

hi all,

 

did not really understand well i have the same problem with ssl inspection i want to use a public ca with my ssl inspection for all my guest mobile phone, ipad,  laptop etc

 

Help

2527
0 Kudos
Bromont_FTNT
Staff
Staff
In response to Silver

Created on ‎02-17-2015 05:28 AM

 

If a public CA started handing out signing certificates that people could use for SSL inspection the first thing I would do is remove their root from my browser store. Certificates are about trust... how can I trust a CA that lets others do SSL inspection on any site?

2558
0 Kudos
bikash_Shaw
New Contributor III

Created on ‎02-16-2015 10:51 PM

Hi

Please follow the attach document. You can disable the replacement msg. 

 

Regards

Bikash

2527
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎02-17-2015 07:47 AM

Exactly, it's called a chain of trust for a reason

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2527
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.