Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: VeriSign certificate & deep packet inspection
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VeriSign certificate & deep packet inspection
Hello, has anyone successfully created a pcks12 certificate using openssl and VeriSign to install a VeriSign certificate on a Fortigate device for the ssl deep packet inspection? If so, how did you do it?
-Chris
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
michellem812,
I was sort of new to certificates when I first started messing with this as well. In case you haven' t gotten the answer you' re looking for let me explain what you' ll need to do:
First, the reason the signed cert from Verisign (or from any other Certificate Authority) isn' t working is because what you actually need is a Certficate Authority cert (a sub-ca or ca as mentioned above). No public Certificate Authority will issue a sub-ca or ca level cert to a customer because it would allow that customer to sign further certificates and appear as if they were that public Certificate Authority. This would break the " trust" for that vendor.
The cert you received from Verisign is likely to be a run-of-the-mill server certificate. It can be used to sign traffic for a device with a particular address only and cannot be used to sign further certs, which is what you need.
The FortiGate uses the ca or sub-ca certificate to dynamically create and sign further server certificates for the hosts you attempt reach through it. The short explanation of this process is that it is an authorized " man-in-the-middle" attack on the SSL-secured traffic where the FortiGate asserts itself as the source of your traffic and talks to the remote host on your behalf. It then relays the responses back to you signed with a new cert it generated from the ca/sub-ca for that session.
To acquire the ca/sub-ca cert you' ll have to setup a private Certificate Authority within your organization. Setting one of those up would take up more time than I have, but if you are in a Microsoft environment (AD2003 or greater) then the process isn' t too difficult. After you have your private CA setup you will then need to distribute the CA cert to your internal hosts so that they trust it (again, easy to do with Active Directory GPOs) and finally import that ca/sub-ca cert into the FortiGate.
It seems a lot more complex than it really is. Just do some research on setting up a Private Key Infrastructure (PKI) for your organization and you' ll have the tools you need to get HTTPS inspection working.
As a side piece of advice: when setting up your PKI consider having at least two CA servers. The first, the root CA, should issue a cert to the second subordinate-CA. Then shut down the first and only issues further certs from the sub-CA. This will allow you to easily revoke certificates should your Certificate Authority ever become compromised.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For ssl scanning you need a (sub-)ca-certificate. Is VeriSign signing this certificate signing requests?
-Thors_Hammer
multiple 30B / 40C / 60(B) / 80C / 100A / 200(A/B) / 600C 4.0 MR3
multiple 30B / 40C / 60(B) / 80C / 100A / 200(A/B) / 600C 4.0 MR3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, VeriSign is signing the request. Well, I' m assuming they are since they process the csr and offer me a PKCS7/x509 certificate back. :) Here is what I did:
Per Fortinet KB http://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD30586
I used 2 of the 3 commands on the referenced site (http://webdesign.about.com/od/ssl/ht/new_selfsigned.htm) I cannot use the 3rd command because it creates a self signed cert.
Here are the commands used:
-openssl genrsa -des3 -out certificate.key 2048
-openssl req -new -key certificate.key -out certificate.csr
I submitted the csr to verisign and got my new pkcs7 (.p7b) certificate. I decided that I need to verify that the key, csr, and certificate match.
I downloaded the verisign cert in x509 format (certificate.cer) and ran these commands to verify the certificate matches the private key:
openssl rsa -noout -modulus -in certificate.key
openssl req -noout -modulus -in certificate.csr
openssl x509 -noout -modulus -in certificate.cer
the keys matched
since it looks like you need to convert to pem from pkcs7 I run this:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
Now, I think I need to reverify that the keys match so I do this:
openssl x509 -noout -modulus -in certificate.pem
The keys still match, good
So now I need to convert to a pkcs12 cert. I did this:
openssl pkcs12 -export -inkey certificate.key -in certificate.pem -out certificate.p12
I am prompted to the export password, I do.
So now I try to import it into the fortigate
System \ Certificate \ Local Certificates
Import
Type = PKCS12 Certificate
Certificate with key file = certificate.p12
Password = the password
Error - Failed to import pkcs12 file.
What am I doing wrong?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a similar problem - I have a GoDaddy cert, and am trying to use it with the UTM Proxy Option. Since the certificate includes an intermediate cert, the Fortigate isn' t seeing CA:true or Key Usage = Certificate Signing for my GoDaddy cert (tech support verified that one of those must be true for the UTM Proxy option to work with SSL inspection).
I did get it to install using the openssl option after loading the .cer files that I received from GoDaddy into Microsoft and then exporting to PKCS#12 and using openssl to convert to a certificate that Fortigate would accept (http://www.doitfixit.com/index.php?option=com_content&view=article&id=153:importing-a-microsoft-iis-... ). However, that still did not provide the CA:true or KeyUsage=Cert Signing that Fortigate says is necessary for the cert to be used by UTM Proxy Options.
Has ANYONE gotten a third-party cert to work with Fortigate' s UTM Proxy Options? I can get it to work with the SSLVPN, just not for deep packet inspection. And I don' t want a self-signed one by my domain controller, since I have too many non-domain devices on the network that would still get the cert error screen. Just curious if anyone has this working.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has ANYONE gotten a third-party cert to work with Fortigate' s UTM Proxy Options?Not possible... This is not a fortigate issue. You will have the same problem with other vendors, watchguard, cisco, sonicwall, etc... I don' t know of a SSL vendor that would allow you to have a public CA cert. Private certs are you only option.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From what I' m seeing with the open incident with FG tech support, I think you' re right. I cannot get a public CA cert, and that is what FG wants for the UTM Proxy option. I don' t want to require users to install a certificate on their devices, since I have thousands of different devices, not all of them managed, so I think I' ll have to forgo the SSL deep scan option. However, I wish the FG documentation was more clear on this aspect. At least my certificate will work with SSL-VPN.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don' t see what' s not clear in the documentation. This is not a Fortinet problem. VeriSign/GoDaddy/etc aren' t issuing certificates for *.* hostnames, so how would you ever expect these to work for deep packet SSL inspection?
If it was possible to install certificates that are universally trusted by devices onto firewalls/routers, then SSL would be a completely useless protocol. If someone tries to get in the middle of your users, they SHOULD see a warning! If a certificate isn' t trusted by a reputable authority and issued for that specific website, they SHOULD see a warning! If you don' t want them to see it, you need to take very deliberate steps not to: 1) issue a trusted certificate from your domain controller (as this should be a highly secure certificate authority in your organization) or 2) on un-managed devices, give them a certificate that they must install which will be trusted for the same purpose. The user should DEFINITELY have to take specific, deliberate steps in order to avoid seeing warnings.
If SSL interception was as easy as you wish it to be, entire countries would be doing it, not to mention entire service providers, airports/hotels/cafes. SSL would be broken and nobody would trust it for anything at all.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I realize that I don' t fully understand the SSL options for the deep packet SSL inspection - which is why I posted to the forum, hoping for helpful responses. I didn' t find the documentation clear - and I also spoke with 2 Fortinet tech support agents who both told me that I should be able to take a purchased SSL cert to use for the SSL inspection so that no cert installation on a device is necessary.
It has not worked with a purchased cert and they are still researching why. If it is a simple matter of " only trusted certs from your domain controller will work with SSL deep pack inspection" then it would be nice to have that listed in the documentation, and for their tech support staff to just tell me that.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
michellem812,
I was sort of new to certificates when I first started messing with this as well. In case you haven' t gotten the answer you' re looking for let me explain what you' ll need to do:
First, the reason the signed cert from Verisign (or from any other Certificate Authority) isn' t working is because what you actually need is a Certficate Authority cert (a sub-ca or ca as mentioned above). No public Certificate Authority will issue a sub-ca or ca level cert to a customer because it would allow that customer to sign further certificates and appear as if they were that public Certificate Authority. This would break the " trust" for that vendor.
The cert you received from Verisign is likely to be a run-of-the-mill server certificate. It can be used to sign traffic for a device with a particular address only and cannot be used to sign further certs, which is what you need.
The FortiGate uses the ca or sub-ca certificate to dynamically create and sign further server certificates for the hosts you attempt reach through it. The short explanation of this process is that it is an authorized " man-in-the-middle" attack on the SSL-secured traffic where the FortiGate asserts itself as the source of your traffic and talks to the remote host on your behalf. It then relays the responses back to you signed with a new cert it generated from the ca/sub-ca for that session.
To acquire the ca/sub-ca cert you' ll have to setup a private Certificate Authority within your organization. Setting one of those up would take up more time than I have, but if you are in a Microsoft environment (AD2003 or greater) then the process isn' t too difficult. After you have your private CA setup you will then need to distribute the CA cert to your internal hosts so that they trust it (again, easy to do with Active Directory GPOs) and finally import that ca/sub-ca cert into the FortiGate.
It seems a lot more complex than it really is. Just do some research on setting up a Private Key Infrastructure (PKI) for your organization and you' ll have the tools you need to get HTTPS inspection working.
As a side piece of advice: when setting up your PKI consider having at least two CA servers. The first, the root CA, should issue a cert to the second subordinate-CA. Then shut down the first and only issues further certs from the sub-CA. This will allow you to easily revoke certificates should your Certificate Authority ever become compromised.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rick H - thanks for the clear explanation. I think for our purposes setting up the HTTPS inspection will be more than what we need, since I can do enough with the Application Control (ie, blocking https youtube and facebook). I thought with v5 that the HTTPS inspection somehow was able to work with a regular cert, but I understand now that it is still man-in-the middle and would need a private cert to really work. I will just continue with non-HTTPS utm proxy options. Thank you for the easy to read explanation.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,709 -
FortiClient
1,766 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
473 -
FortiClient EMS
434 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
246 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate-VM
14 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1713 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.