Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Philippe_ASTIER
New Contributor

Wildcard certificate for deep SSL inspection ? How to ???

Hi all,

 

I know this has been debated many times, but still can't solve it.

 

I have a wildcard valid SSL certificate which I try to importe to my FortiGate. Of course, I have all relevant information, including private key.

 

No matter what I do, it gets imported to "Certificates" rather than "Local Certificates". I can use it as my Fortinet certificate, I can use it for VPN SSL, but I can not use it for deep inspection.

 

I'm trying different formats, but the results is always the same. Is there any valid procedure for that? 

1 Solution
emnoc
Esteemed Contributor III

Impossible, you need to deploy a certificate or the web-browser will have cert-issuer errors . If you want MiTM you are forging  certificates on the fly and the CA ( fortigate ) has to be trusted . No way around this.

 

You could also look at explicit proxy but you have to provide the proxy details to the client

 

Ken

PCNSE 

NSE 

StrongSwan  

View solution in original post

5 REPLIES 5
Bromont_FTNT
Staff
Staff

Is that wildcard cert also a signing certificate? (CA:TRUE) Unlikely.... You'll need to create your own and import your root/intermediate into your workstations.

Philippe_ASTIER

Well CA:FALSE.... Damn.

 

Let's put it the other way round.

I need to do deep inspection, and can NOT deploy a certificate, as there will be many guests to which I can not deploy it.

 

Any plan for this ?

emnoc
Esteemed Contributor III

Impossible, you need to deploy a certificate or the web-browser will have cert-issuer errors . If you want MiTM you are forging  certificates on the fly and the CA ( fortigate ) has to be trusted . No way around this.

 

You could also look at explicit proxy but you have to provide the proxy details to the client

 

Ken

PCNSE 

NSE 

StrongSwan  

Philippe_ASTIER

Seems totally logical. Explicit Proxy is not a bad idea at all.

 

What should be a solution would be to inspect the traffic, but pass on the original traffic to the client, without reencryption....

 

SecurityPlus

There is not a way on the FortiGate to decrypt/spect the traffic, then if the traffic passes inspection, to pass on the original traffic to the client, without reencryption as Philippe asked above is there?
Top Kudoed Authors