FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jheadley_FTNT
Article Id 195068
Description
To avoid certificate warnings when performing SSL Inspection requires that the CA certificate in the SSL Inspection profile is imported into the users’ web browser.

Commonly, it is desired for multiple FortiGates to utilize the same certificate in their SSL Inspection profiles, so network administrators don’t have to manage and import multiple certificates into their users’ web browsers.

This article explains an efficient way to do this using OpenSSL.

Scope
Fortinet devices running FortiOS 5.0 and above.

Solution
Method 1: FortiGates perform SSL inspection as an intermediate CA with a certificate issued by a company's private root CA (Preferred Method)

1. Download and install OpenSSL for your operating system.

2. Generate a RSA private key using OpenSSL.
openssl.exe genrsa -out private.key 2048

Note: the private key file generated above should be kept secure. Anyone who obtains this private key can impersonate the FortiGate.
3. Generate a certificate signing request (CSR) using this private key.
openssl.exe req -out mycsr.csr -key private.key -new -sha256

4. Submit this CSR to be signed by the private certificate authority (CA) of your choice.
It is required that when your private CA signs this CSR, the new certificate be made an intermediate CA of your private CA.

If you have done this correctly, viewing the certificate details will show X509v3 Key Usage: Certificate Sign and X509v3 Basic Constraints: CA:TRUE.

Commonly, network administrators will utilize their FortiAuthenticator or Active Directory Certificate Services on their Windows Domain Controller to sign this CSR.

A public CA (GoDaddy, VeriSign, etc) will NEVER issue you an intermediate CA certificate that can be used for SSL inspection. They are contractually prohibited.
5. Import both the certificate from Step 4 and the private key from Step 2 into all desired FortiGates by navigating to the Certificates section in the web GUI and selecting Import > Local Certificate > Type: Certificate

6. In your SSL Inspection profile(s), select the newly imported certificate as the CA certificate for the profile.

Method 2: FortiGates perform SSL inspection as a private root CA

1. Download and install OpenSSL for your operating system.

2. Generate a RSA private key using OpenSSL.
openssl.exe genrsa -out private.key 2048

Note: the private key file generated above should be kept secure. Anyone who obtains this private key can impersonate the FortiGate.

3. Generate a root CA certificate using this private key.

openssl.exe req -x509 -new -nodes -key private.key -sha256 -days 1825 -extensions v3_ca -out mycertificate.crt


4. Import both the certificate from Step 3 and the private key from Step 2 into all desired FortiGates by navigating to the Certificates section in the web GUI and selecting Import > Local Certificate > Type: Certificate

5. In your SSL Inspection profile(s), select the newly imported certificate as the CA certificate for the profile.


Related Articles

Technical Note : Extract a Private Key and Public Certificate from a FortiGate/FortiWiFi configurati...

Technical Note: Moving or copying a Certificate and its Private Key to another FortiGate or FortiWiF...

Technical Note: How to avoid certificate error message by chaining Root CA and Intermediate CA certi...

Contributors