- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which type of SSL cert is best for the different use cases in a fortigate
SSL certs are used for SSLVPN connections, deep packet inspections, and user authentication. I'm researching the various cert vendors, such as Comodo, DigiCert, Sectigo, etc. Which type of cert is best for each use case, OV, DV, or EV? Are there better options out there? Thank you for your time.
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- SSL VPN: the only thing of interest is whether to use a certificate for subdomain or a wildcard one. All the vendors produce the same certificates, the case of some vendors' certs being more trusted by browsers than others has long gone. Even a free Let's Encrypt certificate will have the same features as paid ones. EV certs are not that valuable here - in most of the cases users will connect to SSL VPN via Forticlient which couldn't care less whether the cert is EV or not.
- DPI: External Trusted CAs are not suitable here at all, you will use either a factory-supplied certificate that comes with the Fortigate, or a cert issued by your internal CA server, if you have such one.
- User authentication: see above for DPI.
- (Unlisted by the OP case) Fortigate holding SSL certificates for websites behind it, working as proxy (VIP). Here it may matter to the end user if the certificate EV or a regular one, but is debatable also.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Shawn,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Shawn,
I hope you are doing well!
Please check below document:https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/430005/certificates
Thanks & Regards,
Vikash Gupta
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. I've read through that document previously. It doesn't really answer my question as to which types of certs are best for the different use cases. It does a great job of explaining how to configure the different options.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
The type of SSL certificate that is best for your use case will depend on your specific requirements and the type of traffic you want to secure.
Domain Validated (DV) SSL Certificates / Organization Validated (OV) SSL Certificates / Extended Validation (EV) SSL Certificates / Wildcard SSL Certificates / Multi-Domain SSL Certificates / Client SSL Certificates
The type of SSL certificate you choose will depend on your specific use case and security requirements. You should consider factors such as the level of validation, number of domains/subdomains, and the type of traffic you want to secure when selecting an SSL certificate for your FortiGate.
BR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- SSL VPN: the only thing of interest is whether to use a certificate for subdomain or a wildcard one. All the vendors produce the same certificates, the case of some vendors' certs being more trusted by browsers than others has long gone. Even a free Let's Encrypt certificate will have the same features as paid ones. EV certs are not that valuable here - in most of the cases users will connect to SSL VPN via Forticlient which couldn't care less whether the cert is EV or not.
- DPI: External Trusted CAs are not suitable here at all, you will use either a factory-supplied certificate that comes with the Fortigate, or a cert issued by your internal CA server, if you have such one.
- User authentication: see above for DPI.
- (Unlisted by the OP case) Fortigate holding SSL certificates for websites behind it, working as proxy (VIP). Here it may matter to the end user if the certificate EV or a regular one, but is debatable also.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for this incredible explanation. I can see why EV certs would not be valuable when using the FortiClient VPN app to connect. That is exactly what we're using. I have the firewall configured for SSO authentication through our Azure AD. We are deploying AWS Private CA to manage our certs for our corporate systems.
Thank you also for the link to your blog.
