Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
newNetwork
New Contributor

SSL inspection Certificate mystery

is it possible to use a verisign (or any other CA) for SSL inspection(web filtering, appcontrol) , in order to get rid of annoying certificate warning on https sites when using the inbuilt fortigate CA ssl proxy certificate.

If yes what type of certificate needs to be bought , a single ssl certificate etc....

from this discussion ,  i am doubtful about the possibility. 

 

Apart from this i see no other way , by which the https certificate warning can be avoided completely. as smartphone, tabs , ipads are never part of domain so its not possible to use active directory infra to push local certificate and its a tedious task to install fortigate ssl proxy cert manually on every single device.

 

1 Solution
Bromont_FTNT

 

If a public CA started handing out signing certificates that people could use for SSL inspection the first thing I would do is remove their root from my browser store. Certificates are about trust... how can I trust a CA that lets others do SSL inspection on any site?

View solution in original post

7 REPLIES 7
emnoc
Esteemed Contributor III

The short answer is no, this is what SSL is suppose to do, give you  or let me re-phrase " the end-user the warning " & then he/she can make the validation to proceed after being warned.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
vmartin_FTNT
Staff
Staff

You can use a custom certificate for SSL inspection, instead of the default FortiGate cert. You can find instructions for how to do this here: http://cookbook.fortinet.com/preventing-certificate-warnings/#custom

Technical Writer, FortiOS

Let me know if there's anything you want to see added to the FortiGate Cookbook.

lunhas2k4
New Contributor III

Hi,

 

Which version of the fortiOS are you using. After thinkering a little bit and a couple of forums found a solution for 5.2.1 and 5.2.2. I only the certificate issue on sites that are actually being barred from use.

 

Is that what you are looking for?

 

 

Carlitos loves firewalls

NSE4 (5.4,6.0)

NSE5 (Fortimanager 6.0, Fortianalyzer 6.0)

NSE7 (Enterprise Firewall 6.0)

Carlitos loves firewalls NSE4 (5.4,6.0) NSE5 (Fortimanager 6.0, Fortianalyzer 6.0) NSE7 (Enterprise Firewall 6.0)
Silver
New Contributor

hi all,

 

did not really understand well i have the same problem with ssl inspection i want to use a public ca with my ssl inspection for all my guest mobile phone, ipad,  laptop etc

 

Help

Bromont_FTNT

 

If a public CA started handing out signing certificates that people could use for SSL inspection the first thing I would do is remove their root from my browser store. Certificates are about trust... how can I trust a CA that lets others do SSL inspection on any site?

bikash_Shaw
New Contributor III

Hi

Please follow the attach document. You can disable the replacement msg. 

 

Regards

Bikash

emnoc
Esteemed Contributor III

Exactly, it's called a chain of trust for a reason

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors