Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hjacquemin
New Contributor

SSL inspection + webfiltering self signed certificate

Hello everyone,

 

I'm quite new in the Fortinet world and I'm actually doing some tests with the SSL inspection and webfiltering.

 

Actually I'm using the default certificate provided by the Fortigate, I added it in the OS/Browser certificate authorities (Trusted Root Certification Authorities) and I don't have issue with SSL inspection.

 

I just face an issue when I add the webfiltering only when I hit a section with warning or authenticate level.

 

I received the warning page/auth page from the Fortigate and when I click proceed I have an SSL issue. It seems that the Fortigate is sending its own certificate. Even if I add the Fortigate certificate on the "Trusted device" on Windows certlm tool the only browser who works is IE, the other (Chrome, Firefox, Edge) are showing an issue.

 

Can someone help me with this ?

 

Regards,

 

Hervé Jacquemin

2 REPLIES 2
sw2090
SuperUser
SuperUser

Yes the fortigate is sending its own cert (unless you configure it to use a different one). SSL Inspection is somewhat man-in-the-middle. This means thE FGT has to decrypt the traffic, look at it and analyze it and then recrypt to ship it to the client. It cannot do this with the certificate the traffic was originally encrypted because it does not have the private key (and will never have it!). So it has to use annother cert for re-encryption (and also for shipping its blocking pages etc). Per factory default ther is a self singend cert by fortigate installed and used.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090

hm I forgot one thing:

 

The Fortigate indeed has two factroy certificates installed:

 

- one ssl cert : used to encrypt internal pages like web gui or blocking page or authentification portal. This is trusted by you browser because you installed the ca.

 

- one ssl subca cert: used to issue certificate to reencrypt content in ssl inspection or ssl webfiltering or ssl antivir etc. This seems not to be trusted.

 

So I gues the reason is simply a broken certificate authority path here. You need to have the ca installed (you already have) but you als need the subca installed as trusted ca in your browser. Otherwise the certificates used to reencrypt traffic by the fortigate in ssl inspection usw cannot be validated by your browser because of missing certificate authority.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors