When you've activated certificate inspection or deep SSL inspection, the
acceptance of the external certificate is up to the FG. When it rejects
the external certificate it the page with the warning:"This Connection
is Untrusted ..." You can check th...
That looks like you're trying to use a (slightly) different name in the
'set untrusted-caname' command than the one you have imported. Double
check the name in the certificate list and make sure the private key was
imported.
@Zanoob You need to use the untrusted-caname of a certificate that is
installed on the FGT unit (including a private key) and that the clients
trust. You cannot use an external, trusted certificate because without a
private key, the FGT can't use it....
Well, I restarted Firefox (I know that deleting the cache and
shift-ctrl-R don't always force a certificate reload or SSL
renegotiation) and also tried a second PC - somehow the setting didn't
catch right away. Possibly the FG had retained some conne...
Radu: even though the "Untrusted-caname" option didn't work right away,
it did start working at some time later on. I just stumbled on a page
with an incomplete certificate chain (intermediate cert missing) and
wondered why I could read the FG's warn...
If you don't really require SSH on WAN just deactivate it. If you do
need it you should at least restrict login to those subnets you need to
allow access.