emnoc,

Thanks for the very helpful information! I sure appreciate the guidance you have provided.

If we wanted to protect both the hosted website and the LAN via the FortiGate, would we need to purchase two entirely separate certificate products?

Any idea how websites like: www.bulkregister.com, www.thesslstore.com, www.SRSPlus.com, www.namecheap.com do supplying SSL certificates?

yes, you will need  servercertificate for the website(s) . As far as the  4 distributors, I've only use  thesslstore for  DomainValidate_crts  and they are price fair,  and for  NameCheap for  Domain_Registrations never purchase certificate from them.

Just to confirm, would it require two different security certificates to to protect both the externally hosted website and the LAN?

yes

guys, can you send me a direct link to buy a recommended CA certificate that I can use for a deep packet inspection? Thank you! Jirka

here

https://securebox.comodo.com/ssl-sniffing/ssl-inspection/

and  here

https://secure.instantssl.com/products/SSLIdASignup1a

but you need to start here and understand what your  doing , before you start doing ;)

http://cookbook.fortinet....ld-use-ssl-inspection/

As far as generating a CA:TRUE , CSR I like openssl .That's just my  style YMMV & one of many methods that you can use. Google search on numerous  tip tricks etc....

========================

#!/bin/bash # this script is for making  CSR # # DATE=`date +%s`

# # seed the names in a filename == file we will read that information

# for p in  ` cat file`;   do    #   sed -e 's/baby/'$p'/g'  nwcfg.cnf >  $DATE.cnf   #   #   #  if you don't want encrypted keys uses the node switch instead of passout   #   #   openssl req -config $DATE.cnf -extensions v3_req  -sha256 -new -passout pass:foobar -newkey rsa:2048 -batch  -keyout  $p.key -subj "/C=US/ST=TX,/L=Austin/O=SOCPUPPETS./OU=SSL_SOCPUPPETS/CN=$p"  -out $p.csr      #  clean up temp  config file     rm  $DATE.cnf; done

and in my  cfg file you toggle the  CA:TRUE

===========

[req] serial = 1000 days = 730 default_keyfile        = privkey.pem distinguished_name = req_distinguished_name req_extensions         = v3_req prompt                 = yes [req_distinguished_name] C  = US ST  = TX L  = mydomaincity O = MYDOMAIN OU =  SSL_VPN_PROXY CN =  ssl_proxy_master emailAddress =  certificate@mydomain.com [v3_req] basicConstraints = CA:TRUE keyUsage = keyEncipherment, dataEncipherment, CertSign, Digital Signature, Non Repudiation, keyAgreement #subjectAltName = @alt_names extendedKeyUsage = serverAuth,clientAuth [alt_names]    

Next,

depending on CA you might need to convert the cert. Again openssl is your friend or take you chances online

https://www.sslshopper.com/ssl-converter.html

Be advise, you should  speak to the SSL-CA-sales-support-staff  on  your needs and what  you trying  to do. Not all CA will sign the CSR and honor the CA:TRUE and ignore parts of the CSR.

If it was me,

I would generate a  SelfSign-Cert and test yours out in a ssl-inspection and then once you feel comfortable acquire a  Public-Signed CERT.

e.g  ( again using  openssl )

  openssl genrsa -aes256 -out mycakey.pem 4096   openssl req -x509 -new -nodes -extensions v3_ca -key mycakey.pem -days 1024 -out mycaroot.pem -sha512    next, you can sign you own certificates as a  in-house-CA and do your testing for SSL_INSPECTIONS. Just import the CA  pubcertificate and  the certificate into your devices ( i.e macosx , windows, android,etc......)

YMMV but you need to search the  ssl cookbooks on fortinet site and read the thousands of  articles on SSL-inspection and MiTM.

Emnoc,

Thanks for the great information and links! We started with one cookbook. As helpful as this was it is hard for one document to cover every circumstance. I will need to read further.

Before I read your post we purchased a commercial certificate but later learned that the certificate needs to be based on a domain name or an IP address. The network uses a domain.local domain name which I understand certificate issuers won't be able to create a certificate for. And the IP address is a dynamic IP address not a static IP address. If the IP address changes I presume that we would need to update the certificate. Can you comment on a situation where a network does not use or does not have a commercial domain registration? Can you comment on a non-static IP address situation as well?

Curious how CA-certificates can be distritubed to permit full SSL inspection (deep-inspection) without certificate warnings. I read the following document but still have a few questions:

https://cookbook.fortinet.com/preventing-certificate-warnings-ca-cert-60

1. Mobile devices like smart phones and tablets will deal with. I see that it is necessary to install the certificate on Windows and Mac computers for the Internet Explorer, Chrome, Safari, and Firefox browser. What about users on smart phones and tablets running the IOS or Android OS?

2. Can certificates be distributed via Group Policy for domain joined Windows computers using Internet Explorer, Chrome, Safari, and Firefox browsers?

3. Also, is there any easy way to distribute certificates to Mac computers?

Thanks!