Description
When SSL content inspection for HTTPS (deep scan) is enabled on a FortiGate, the web browsers will usually prompt a warning message if the Certificate Authority (CA) for the default certificate used by the Fortigate SSL inspection is not known by the browser. The default certificate in this case is Fortinet_CA_SSLProxy.
Internet Explorer will display the warning page :
If the user clicks on "Continue to this website (not recommended)", the certificate will be temporarily accepted for this connection, but the same message will be prompted at the next connection or when accessing any other HTTPS site.
This procedure that follows explains how to permanently store the Fortigate root CA in Internet Explorer to avoid any further warning message.
Solution
1. Download the FortiGate CA from the Web Based Manager (GUI)
1.1. Go to System --> Certificates --> Local Certificates
1.2. Select Fortinet_CA_SSLProxy (this applies to another certificate that needs to be used for SSL inspection)
1.3. Click on Download
1.4. Save the file Fortinet_CA_SSLProxy.cer (or any other related CA file if another certificate needs to be used)
2. Install the root CA in the trusted root certification list of Internet Explorer 8
2.1. From an Internet Explorer 8 window, go to Tools --> Internet Options --> Content --> Certificates --> Trusted Root Certification Authorities
2.2. Click on Import and select the .cer file saved previously ; keep all other default options and accept the new Fortigate CA installation
2.3. Verify in the Trusted Root Certification Authorities list that the new root certificate is present
2.4 Check that the IE8 warning message is no longer displayed when accessing an HTTPS Web site
=========== 2.2 ===========
===========
=========== 2.3 ===========
When SSL content inspection for HTTPS (deep scan) is enabled on a FortiGate, the web browsers will usually prompt a warning message if the Certificate Authority (CA) for the default certificate used by the Fortigate SSL inspection is not known by the browser. The default certificate in this case is Fortinet_CA_SSLProxy.
Internet Explorer will display the warning page :
If the user clicks on "Continue to this website (not recommended)", the certificate will be temporarily accepted for this connection, but the same message will be prompted at the next connection or when accessing any other HTTPS site.
This procedure that follows explains how to permanently store the Fortigate root CA in Internet Explorer to avoid any further warning message.
Solution
1. Download the FortiGate CA from the Web Based Manager (GUI)
1.1. Go to System --> Certificates --> Local Certificates
1.2. Select Fortinet_CA_SSLProxy (this applies to another certificate that needs to be used for SSL inspection)
1.3. Click on Download
1.4. Save the file Fortinet_CA_SSLProxy.cer (or any other related CA file if another certificate needs to be used)
=========== 1.1 to 1.3 ===========
=========== 1.4 ===========
2. Install the root CA in the trusted root certification list of Internet Explorer 8
2.1. From an Internet Explorer 8 window, go to Tools --> Internet Options --> Content --> Certificates --> Trusted Root Certification Authorities
2.2. Click on Import and select the .cer file saved previously ; keep all other default options and accept the new Fortigate CA installation
2.3. Verify in the Trusted Root Certification Authorities list that the new root certificate is present
2.4 Check that the IE8 warning message is no longer displayed when accessing an HTTPS Web site
=========== 2.1 ===========
=========== 2.2 ===========
===========
=========== 2.3 ===========
Related Articles
Technical Note: FortiGate HTTPS web URL filtering and HTTPS FortiGuard web filtering
Troubleshooting Tip : Verifying server certificate on SSL Inspection
