Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
damianhlozano
Contributor

Use a web server certificate for deep inspection

Hello team!!!

 

Just a basic question

We have a third party certificate issued from a trusteed certificate authority, for our web server.

Is it possible to use the same certificate for doing deep inspection in outgoing fortigate policies?  Is there any requirement for this certificate to work?

What are the steps to import this certificate into a Fortigate in 7.2.1 ?

 

Thanks in advance.

Regards,

Damián

 

Damián Lozano
Damián Lozano
1 Solution
abelio
SuperUser
SuperUser


damianhlozano wrote:

Is it possible to use the same certificate for doing deep inspection in outgoing fortigate policies?  Is there any requirement for this certificate to work?

Hi

Unfortunately not, you can't use it do that (no commercial isssued certificates can´t I guess)

For deep inspection your certificate must have attribute CA=TRUE or KeyUsage=KeyCertSign

That certificate allows your FGT to issue certificates (and private keys) on the flight.

 

regards




/ Abel

View solution in original post

regards / Abel
4 REPLIES 4
abelio
SuperUser
SuperUser


damianhlozano wrote:

Is it possible to use the same certificate for doing deep inspection in outgoing fortigate policies?  Is there any requirement for this certificate to work?

Hi

Unfortunately not, you can't use it do that (no commercial isssued certificates can´t I guess)

For deep inspection your certificate must have attribute CA=TRUE or KeyUsage=KeyCertSign

That certificate allows your FGT to issue certificates (and private keys) on the flight.

 

regards




/ Abel

regards / Abel
kcheng
Staff
Staff

Hi @damianhlozano 

 

Just like the fact mentioned by abelio, you can't use a web server certificate for deep inspection. The process of deep inspection includes decryption and re-encryption of the packet post content scanning. Hence, it is necessary to equip the certificate with a subCA attribute. You may refer to the documents below for the explanation and steps to generate the certificate if required:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/605938/why-you-should-use-ssl-inspection

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/680736/microsoft-ca-deep-packet-inspecti...

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
damianhlozano

Thanks for the information guys!!!

 

Damián Lozano
Damián Lozano
sw2090
SuperUser
SuperUser

that's also the reason why no commercial certs can be used. There is seemingly no commerical CA out there that would issue you a sub-ca certificate :)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors