Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jeinnor40
New Contributor

"CA:TRUE" certificate for deep inspection where to buy

Hi

 

I am being sent round and round and not sure what is correct.

 

I am looking to purchase what Fortinet refers to as a "CA:TRUE" certificate. I want to put it into deep inspection so that I do not have to apply the self-assigned to all devices. My supplier said a person cant get one of these but when I contacted one of the vendors they sent me a quote. So I am confused as to what is true, whether you can or cannot get one and if so who the best supplier is of these kinds of certificates?

 

Ron

3 REPLIES 3
neonbit
Valued Contributor

You can't buy one of these certs from the traditional CA's (like Verisign, GoDaddy etc). They don't want you signing websites like Gmail on their behalf.

 

You generally need to have your own company CA and issue a cert from that (and import the CA cert into your clients).

 

OpenSSL is a free tool that lets you create a CA certificate and then sign the FGT one with CA=True.\

 

There's a cookbook article on what you need to do on OpenSSL to sign the FGT cert:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/228718/creating-a-certificate-with-opens...

jeinnor40

Thank you for this, will give it a whirl ;)

ergotherego

I was finally able to solve this as well, by using an actual CA certificate authorized for re-signing. We use FortiAuth internally, and I had to upgrade from 5.4.1 to 6.0.3 so that I could create an intermediate certificate -AND- be able to export the key for that new cert. Previous versions of FAC don't allow that.

 

Then you add that CA cert as a Local cert normally to the FortiGate. Reference it in your SSL Inspection rules. And ensure your hosts/end-points trust the cert of your CA - in my case, the root CA of the FAC itself.