Hello team!!!
Just a basic question
We have a third party certificate issued from a trusteed certificate authority, for our web server.
Is it possible to use the same certificate for doing deep inspection in outgoing fortigate policies? Is there any requirement for this certificate to work?
What are the steps to import this certificate into a Fortigate in 7.2.1 ?
Thanks in advance.
Regards,
Damián
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
damianhlozano wrote:Is it possible to use the same certificate for doing deep inspection in outgoing fortigate policies? Is there any requirement for this certificate to work?
Hi
Unfortunately not, you can't use it do that (no commercial isssued certificates can´t I guess)
For deep inspection your certificate must have attribute CA=TRUE or KeyUsage=KeyCertSign
That certificate allows your FGT to issue certificates (and private keys) on the flight.
regards
/ Abel
damianhlozano wrote:Is it possible to use the same certificate for doing deep inspection in outgoing fortigate policies? Is there any requirement for this certificate to work?
Hi
Unfortunately not, you can't use it do that (no commercial isssued certificates can´t I guess)
For deep inspection your certificate must have attribute CA=TRUE or KeyUsage=KeyCertSign
That certificate allows your FGT to issue certificates (and private keys) on the flight.
regards
/ Abel
Just like the fact mentioned by abelio, you can't use a web server certificate for deep inspection. The process of deep inspection includes decryption and re-encryption of the packet post content scanning. Hence, it is necessary to equip the certificate with a subCA attribute. You may refer to the documents below for the explanation and steps to generate the certificate if required:
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/605938/why-you-should-use-ssl-inspection
Thanks for the information guys!!!
that's also the reason why no commercial certs can be used. There is seemingly no commerical CA out there that would issue you a sub-ca certificate :)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1643 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.