Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Philippe_ASTIER
New Contributor

Created on ‎08-06-2018 07:03 AM

Wildcard certificate for deep SSL inspection ? How to ???

Hi all,

 

I know this has been debated many times, but still can't solve it.

 

I have a wildcard valid SSL certificate which I try to importe to my FortiGate. Of course, I have all relevant information, including private key.

 

No matter what I do, it gets imported to "Certificates" rather than "Local Certificates". I can use it as my Fortinet certificate, I can use it for VPN SSL, but I can not use it for deep inspection.

 

I'm trying different formats, but the results is always the same. Is there any valid procedure for that? 

9558
0 Kudos
1 Solution
emnoc
Esteemed Contributor III
In response to Philippe_ASTIER

Created on ‎08-06-2018 08:52 AM

Impossible, you need to deploy a certificate or the web-browser will have cert-issuer errors . If you want MiTM you are forging  certificates on the fly and the CA ( fortigate ) has to be trusted . No way around this.

 

You could also look at explicit proxy but you have to provide the proxy details to the client

 

Ken

PCNSE 

NSE 

StrongSwan  

View solution in original post

3159
0 Kudos
5 REPLIES 5
Bromont_FTNT
Staff
Staff

Created on ‎08-06-2018 07:16 AM

Is that wildcard cert also a signing certificate? (CA:TRUE) Unlikely.... You'll need to create your own and import your root/intermediate into your workstations.

3131
0 Kudos
Philippe_ASTIER
New Contributor
In response to Bromont_FTNT

Created on ‎08-06-2018 07:21 AM

Well CA:FALSE.... Damn.

 

Let's put it the other way round.

I need to do deep inspection, and can NOT deploy a certificate, as there will be many guests to which I can not deploy it.

 

Any plan for this ?

3131
0 Kudos
emnoc
Esteemed Contributor III
In response to Philippe_ASTIER

Created on ‎08-06-2018 08:52 AM

Impossible, you need to deploy a certificate or the web-browser will have cert-issuer errors . If you want MiTM you are forging  certificates on the fly and the CA ( fortigate ) has to be trusted . No way around this.

 

You could also look at explicit proxy but you have to provide the proxy details to the client

 

Ken

PCNSE 

NSE 

StrongSwan  

3160
0 Kudos
Philippe_ASTIER
New Contributor
In response to emnoc

Created on ‎08-06-2018 08:56 AM

Seems totally logical. Explicit Proxy is not a bad idea at all.

 

What should be a solution would be to inspect the traffic, but pass on the original traffic to the client, without reencryption....

 

3131
0 Kudos
SecurityPlus
Contributor II
In response to Philippe_ASTIER

Created on ‎08-09-2018 09:54 PM

There is not a way on the FortiGate to decrypt/spect the traffic, then if the traffic passes inspection, to pass on the original traffic to the client, without reencryption as Philippe asked above is there?
3131
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.