Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
shawn-ev
New Contributor

Created on ‎05-09-2023 07:24 AM

Which type of SSL cert is best for the different use cases in a fortigate

SSL certs are used for SSLVPN connections, deep packet inspections, and user authentication. I'm researching the various cert vendors, such as Comodo, DigiCert, Sectigo, etc. Which type of cert is best for each use case, OV, DV, or EV? Are there better options out there? Thank you for your time.

Labels:
288
0 Kudos
1 Solution
Yurisk
Valued Contributor

Created on ‎05-14-2023 10:34 AM

  • SSL VPN: the only thing of interest is whether to use a certificate for subdomain or a wildcard one. All the vendors produce the same certificates, the case of some vendors' certs being more trusted by browsers than others has long gone. Even a free Let's Encrypt certificate will have the same features as paid ones. EV certs are not that valuable here - in most of the cases users will connect to SSL VPN via Forticlient which couldn't care less whether the cert is EV or not.
  • DPI: External Trusted CAs are not suitable here at all, you will use either a factory-supplied certificate that comes with the Fortigate, or a cert issued by your internal CA server, if you have such one.
  • User authentication: see above for DPI.
  • (Unlisted by the OP case) Fortigate holding SSL certificates for websites behind it, working as proxy (VIP). Here it may matter to the end user if the certificate EV or a regular one, but is debatable also.

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.

View solution in original post

199
7 REPLIES 7
Anthony_E
Community Manager
Community Manager

Created on ‎05-11-2023 09:28 PM

Hello Shawn,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
247
0 Kudos
vikashgupta
Staff
Staff

Created on ‎05-11-2023 10:05 PM

Hi Shawn,

I hope you are doing well!

Please check below document:https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/430005/certificates

Thanks & Regards,

Vikash Gupta

240
shawn-ev
New Contributor
In response to vikashgupta

Created on ‎05-17-2023 12:25 PM

Thank you. I've read through that document previously. It doesn't really answer my question as to which types of certs are best for the different use cases. It does a great job of explaining how to configure the different options.

154
0 Kudos
rtichkule
Staff
Staff

Created on ‎05-14-2023 07:56 AM

Hello,

 

The type of SSL certificate that is best for your use case will depend on your specific requirements and the type of traffic you want to secure.

Domain Validated (DV) SSL Certificates / Organization Validated (OV) SSL Certificates / Extended Validation (EV) SSL Certificates / Wildcard SSL Certificates / Multi-Domain SSL Certificates / Client SSL Certificates

The type of SSL certificate you choose will depend on your specific use case and security requirements. You should consider factors such as the level of validation, number of domains/subdomains, and the type of traffic you want to secure when selecting an SSL certificate for your FortiGate.

 

BR

217
shawn-ev
New Contributor
In response to rtichkule

Created on ‎05-17-2023 12:25 PM

Thank you.

154
0 Kudos
Yurisk
Valued Contributor

Created on ‎05-14-2023 10:34 AM

  • SSL VPN: the only thing of interest is whether to use a certificate for subdomain or a wildcard one. All the vendors produce the same certificates, the case of some vendors' certs being more trusted by browsers than others has long gone. Even a free Let's Encrypt certificate will have the same features as paid ones. EV certs are not that valuable here - in most of the cases users will connect to SSL VPN via Forticlient which couldn't care less whether the cert is EV or not.
  • DPI: External Trusted CAs are not suitable here at all, you will use either a factory-supplied certificate that comes with the Fortigate, or a cert issued by your internal CA server, if you have such one.
  • User authentication: see above for DPI.
  • (Unlisted by the OP case) Fortigate holding SSL certificates for websites behind it, working as proxy (VIP). Here it may matter to the end user if the certificate EV or a regular one, but is debatable also.

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
200
shawn-ev
New Contributor
In response to Yurisk

Created on ‎05-17-2023 12:30 PM

Thank you for this incredible explanation. I can see why EV certs would not be valuable when using the FortiClient VPN app to connect. That is exactly what we're using. I have the firewall configured for SSO authentication through our Azure AD. We are deploying AWS Private CA  to manage our certs for our corporate systems.

 

Thank you also for the link to your blog.

153
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.