Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
shawn-ev
New Contributor III

Which type of SSL cert is best for the different use cases in a fortigate

SSL certs are used for SSLVPN connections, deep packet inspections, and user authentication. I'm researching the various cert vendors, such as Comodo, DigiCert, Sectigo, etc. Which type of cert is best for each use case, OV, DV, or EV? Are there better options out there? Thank you for your time.

1 Solution
Yurisk
SuperUser
SuperUser

  • SSL VPN: the only thing of interest is whether to use a certificate for subdomain or a wildcard one. All the vendors produce the same certificates, the case of some vendors' certs being more trusted by browsers than others has long gone. Even a free Let's Encrypt certificate will have the same features as paid ones. EV certs are not that valuable here - in most of the cases users will connect to SSL VPN via Forticlient which couldn't care less whether the cert is EV or not.
  • DPI: External Trusted CAs are not suitable here at all, you will use either a factory-supplied certificate that comes with the Fortigate, or a cert issued by your internal CA server, if you have such one.
  • User authentication: see above for DPI.
  • (Unlisted by the OP case) Fortigate holding SSL certificates for websites behind it, working as proxy (VIP). Here it may matter to the end user if the certificate EV or a regular one, but is debatable also.
Yuri https://yurisk.info/  blog: All things Fortinet, no ads.

View solution in original post

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
7 REPLIES 7
Anthony_E
Community Manager
Community Manager

Hello Shawn,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
vikashgupta
Staff
Staff

Hi Shawn,

I hope you are doing well!

Please check below document:https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/430005/certificates

Thanks & Regards,

Vikash Gupta

shawn-ev
New Contributor III

Thank you. I've read through that document previously. It doesn't really answer my question as to which types of certs are best for the different use cases. It does a great job of explaining how to configure the different options.

rtichkule
Staff
Staff

Hello,

 

The type of SSL certificate that is best for your use case will depend on your specific requirements and the type of traffic you want to secure.

Domain Validated (DV) SSL Certificates / Organization Validated (OV) SSL Certificates / Extended Validation (EV) SSL Certificates / Wildcard SSL Certificates / Multi-Domain SSL Certificates / Client SSL Certificates

The type of SSL certificate you choose will depend on your specific use case and security requirements. You should consider factors such as the level of validation, number of domains/subdomains, and the type of traffic you want to secure when selecting an SSL certificate for your FortiGate.

 

BR

shawn-ev
New Contributor III

Thank you.

Yurisk
SuperUser
SuperUser

  • SSL VPN: the only thing of interest is whether to use a certificate for subdomain or a wildcard one. All the vendors produce the same certificates, the case of some vendors' certs being more trusted by browsers than others has long gone. Even a free Let's Encrypt certificate will have the same features as paid ones. EV certs are not that valuable here - in most of the cases users will connect to SSL VPN via Forticlient which couldn't care less whether the cert is EV or not.
  • DPI: External Trusted CAs are not suitable here at all, you will use either a factory-supplied certificate that comes with the Fortigate, or a cert issued by your internal CA server, if you have such one.
  • User authentication: see above for DPI.
  • (Unlisted by the OP case) Fortigate holding SSL certificates for websites behind it, working as proxy (VIP). Here it may matter to the end user if the certificate EV or a regular one, but is debatable also.
Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
shawn-ev
New Contributor III

Thank you for this incredible explanation. I can see why EV certs would not be valuable when using the FortiClient VPN app to connect. That is exactly what we're using. I have the firewall configured for SSO authentication through our Azure AD. We are deploying AWS Private CA  to manage our certs for our corporate systems.

 

Thank you also for the link to your blog.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors