Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SecurityPlus
Contributor II

Security Certificate Questions

Sorry for so many questions below. I am kind of a newbie concerning security certificates.

 

[ol]
  • Are purchased (CA) security certificates a good idea when doing deep packet (SSL) inspection on a FortiGate?
  • What benefit does a purchased (CA) security certificate offer over the built in certificate?
  • What are the benefits of a commercial certificate (CA) over a self-signed certificate?
  • Are all purchased (CA) certificates the same and are they all compatible with the FortiGate?
  • If a business has a website that is externally hosted and a FortiGate and they would like a security certificate to apply to both the website and the local network (FortiGate), would this involve a different certificate?
  • Any recommendations on where to get commercial (CA) certificates?[/ol]

    Thanks in advance for any help folks can provide.

     

  • 1 Solution
    emnoc
    Esteemed Contributor III

        Are purchased (CA) security certificates a good idea when doing deep packet (SSL) inspection on a FortiGate?

     

    Typically  you use your   internal  CA and publish that certficate via a windows GPO or manual input ( non-windows devices).  read below for why it's good.

     

     

        What benefit does a purchased (CA) security certificate offer over the built in certificate?

     

    Provides trust from a trusted CAchain, a big plus.

    Provide life-time

    Low-maint ( no need to distribute or import for the most part )

     

        What are the benefits of a commercial certificate (CA) over a self-signed certificate?

     

    Provides trust from a wellknown CAchain, see above about management and import. You only need to import into the fortigate-proxyssl for inspection, a  browser will typically honor the publicCA issued cert if it's from a well-knownCA.

     

     

        Are all purchased (CA) certificates the same and are they all compatible with the FortiGate?

     

    yes,  they compatible just like a self-sign. Even a CA-issued is technically "self-signed" ;) Just make sure to get a cert from a well known  CA

     

     

        If a business has a website that is externally hosted and a FortiGate and they would like a security certificate to apply to both the website and the local network (FortiGate), would this involve a different certificate?

     

    A cert on a website for example,  is a SeverCert, the cert for sslproxyis a CAtrue certificate both follow x509 but the purpose is  NOT  mutually the same. So  yes you need a webserver-certificate(s) and SSLproxy certificate.

        Any recommendations on where to get commercial (CA) certificates?

     

    Shop around geotrust,entrust,godaddy,etc..... Cost could be a few hundred or so dollar but they are affordable

    PCNSE 

    NSE 

    StrongSwan  

    View solution in original post

    PCNSE NSE StrongSwan
    14 REPLIES 14
    emnoc
    Esteemed Contributor III

        Are purchased (CA) security certificates a good idea when doing deep packet (SSL) inspection on a FortiGate?

     

    Typically  you use your   internal  CA and publish that certficate via a windows GPO or manual input ( non-windows devices).  read below for why it's good.

     

     

        What benefit does a purchased (CA) security certificate offer over the built in certificate?

     

    Provides trust from a trusted CAchain, a big plus.

    Provide life-time

    Low-maint ( no need to distribute or import for the most part )

     

        What are the benefits of a commercial certificate (CA) over a self-signed certificate?

     

    Provides trust from a wellknown CAchain, see above about management and import. You only need to import into the fortigate-proxyssl for inspection, a  browser will typically honor the publicCA issued cert if it's from a well-knownCA.

     

     

        Are all purchased (CA) certificates the same and are they all compatible with the FortiGate?

     

    yes,  they compatible just like a self-sign. Even a CA-issued is technically "self-signed" ;) Just make sure to get a cert from a well known  CA

     

     

        If a business has a website that is externally hosted and a FortiGate and they would like a security certificate to apply to both the website and the local network (FortiGate), would this involve a different certificate?

     

    A cert on a website for example,  is a SeverCert, the cert for sslproxyis a CAtrue certificate both follow x509 but the purpose is  NOT  mutually the same. So  yes you need a webserver-certificate(s) and SSLproxy certificate.

        Any recommendations on where to get commercial (CA) certificates?

     

    Shop around geotrust,entrust,godaddy,etc..... Cost could be a few hundred or so dollar but they are affordable

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    SecurityPlus

    emnoc,

     

    Thanks for the very helpful information! I sure appreciate the guidance you have provided.

     

    If we wanted to protect both the hosted website and the LAN via the FortiGate, would we need to purchase two entirely separate certificate products?

     

    Any idea how websites like: www.bulkregister.com, www.thesslstore.com, www.SRSPlus.com, www.namecheap.com do supplying SSL certificates?

    emnoc
    Esteemed Contributor III

    yes, you will need  servercertificate for the website(s) . As far as the  4 distributors, I've only use  thesslstore for  DomainValidate_crts  and they are price fair,  and for  NameCheap for  Domain_Registrations never purchase certificate from them.

     

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    SecurityPlus

    Just to confirm, would it require two different security certificates to to protect both the externally hosted website and the LAN?

    emnoc
    Esteemed Contributor III

    yes

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    Jirka1
    Contributor III

    guys, can you send me a direct link to buy a recommended CA certificate that I can use for a deep packet inspection? Thank you! Jirka

    emnoc
    Esteemed Contributor III

    here

     

    https://securebox.comodo.com/ssl-sniffing/ssl-inspection/

     

    and  here

     

    https://secure.instantssl.com/products/SSLIdASignup1a

     

    but you need to start here and understand what your  doing , before you start doing ;)

     

    http://cookbook.fortinet....ld-use-ssl-inspection/

     

     

     

    As far as generating a CA:TRUE , CSR I like openssl .That's just my  style YMMV & one of many methods that you can use. Google search on numerous  tip tricks etc....

     

     

     

    ========================

    #!/bin/bash # this script is for making  CSR # # DATE=`date +%s`

     

    # # seed the names in a filename == file we will read that information

    # for p in  ` cat file`;   do    #   sed -e 's/baby/'$p'/g'  nwcfg.cnf >  $DATE.cnf   #   #   #  if you don't want encrypted keys uses the node switch instead of passout   #   #   openssl req -config $DATE.cnf -extensions v3_req  -sha256 -new -passout pass:foobar -newkey rsa:2048 -batch  -keyout  $p.key -subj "/C=US/ST=TX,/L=Austin/O=SOCPUPPETS./OU=SSL_SOCPUPPETS/CN=$p"  -out $p.csr      #  clean up temp  config file     rm  $DATE.cnf; done

     

     

    and in my  cfg file you toggle the  CA:TRUE

     

    ===========

     

    [req] serial = 1000 days = 730 default_keyfile        = privkey.pem distinguished_name = req_distinguished_name req_extensions         = v3_req prompt                 = yes [req_distinguished_name] C  = US ST  = TX L  = mydomaincity O = MYDOMAIN OU =  SSL_VPN_PROXY CN =  ssl_proxy_master emailAddress =  certificate@mydomain.com [v3_req] basicConstraints = CA:TRUE keyUsage = keyEncipherment, dataEncipherment, CertSign, Digital Signature, Non Repudiation, keyAgreement #subjectAltName = @alt_names extendedKeyUsage = serverAuth,clientAuth [alt_names]    

     

    Next,

     

    depending on CA you might need to convert the cert. Again openssl is your friend or take you chances online

     

    https://www.sslshopper.com/ssl-converter.html

     

    Be advise, you should  speak to the SSL-CA-sales-support-staff  on  your needs and what  you trying  to do. Not all CA will sign the CSR and honor the CA:TRUE and ignore parts of the CSR.

     

    If it was me,

    I would generate a  SelfSign-Cert and test yours out in a ssl-inspection and then once you feel comfortable acquire a  Public-Signed CERT.

     

     

    e.g  ( again using  openssl )

     

      openssl genrsa -aes256 -out mycakey.pem 4096   openssl req -x509 -new -nodes -extensions v3_ca -key mycakey.pem -days 1024 -out mycaroot.pem -sha512    next, you can sign you own certificates as a  in-house-CA and do your testing for SSL_INSPECTIONS. Just import the CA  pubcertificate and  the certificate into your devices ( i.e macosx , windows, android,etc......)

     

     

    YMMV but you need to search the  ssl cookbooks on fortinet site and read the thousands of  articles on SSL-inspection and MiTM.

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    SecurityPlus

    Emnoc,

     

    Thanks for the great information and links! We started with one cookbook. As helpful as this was it is hard for one document to cover every circumstance. I will need to read further.

     

    Before I read your post we purchased a commercial certificate but later learned that the certificate needs to be based on a domain name or an IP address. The network uses a domain.local domain name which I understand certificate issuers won't be able to create a certificate for. And the IP address is a dynamic IP address not a static IP address. If the IP address changes I presume that we would need to update the certificate. Can you comment on a situation where a network does not use or does not have a commercial domain registration? Can you comment on a non-static IP address situation as well?

    SecurityPlus

    Curious how CA-certificates can be distritubed to permit full SSL inspection (deep-inspection) without certificate warnings. I read the following document but still have a few questions:

    https://cookbook.fortinet.com/preventing-certificate-warnings-ca-cert-60

     

    1. Mobile devices like smart phones and tablets will deal with. I see that it is necessary to install the certificate on Windows and Mac computers for the Internet Explorer, Chrome, Safari, and Firefox browser. What about users on smart phones and tablets running the IOS or Android OS?

     

    2. Can certificates be distributed via Group Policy for domain joined Windows computers using Internet Explorer, Chrome, Safari, and Firefox browsers?

     

    3. Also, is there any easy way to distribute certificates to Mac computers?

     

    Thanks!

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors