- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"CA:TRUE" certificate for deep inspection where to buy
Hi
I am being sent round and round and not sure what is correct.
I am looking to purchase what Fortinet refers to as a "CA:TRUE" certificate. I want to put it into deep inspection so that I do not have to apply the self-assigned to all devices. My supplier said a person cant get one of these but when I contacted one of the vendors they sent me a quote. So I am confused as to what is true, whether you can or cannot get one and if so who the best supplier is of these kinds of certificates?
Ron
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can't buy one of these certs from the traditional CA's (like Verisign, GoDaddy etc). They don't want you signing websites like Gmail on their behalf.
You generally need to have your own company CA and issue a cert from that (and import the CA cert into your clients).
OpenSSL is a free tool that lets you create a CA certificate and then sign the FGT one with CA=True.\
There's a cookbook article on what you need to do on OpenSSL to sign the FGT cert:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for this, will give it a whirl ;)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was finally able to solve this as well, by using an actual CA certificate authorized for re-signing. We use FortiAuth internally, and I had to upgrade from 5.4.1 to 6.0.3 so that I could create an intermediate certificate -AND- be able to export the key for that new cert. Previous versions of FAC don't allow that.
Then you add that CA cert as a Local cert normally to the FortiGate. Reference it in your SSL Inspection rules. And ensure your hosts/end-points trust the cert of your CA - in my case, the root CA of the FAC itself.