Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fcb
Contributor

Created on ‎02-14-2019 11:47 AM

SSL Inspection - 50 firewalls - one cert?

We have an Active Directory Cert Server that has issued me a Subordinate CA certificate for SSL inspection - this works great on our main edge firewall(s) for SSL Inspection, even deep inspection.

 

My question is can I use that same certificate across the board to all our firewalls so that each Fortigate doesn't have to be issued its own CA certificate from our internal cert server? It's very cumbersome to get each of those issued and then each of those imported into the local PC's trusted cert store so that they doon't get an error during SSL inspection.

 

Any advice appreciated - We also have a FortiAuthenticator that I have read can also act as a CA so if that's a better move I'm all ears

 

 

3251
0 Kudos
3 REPLIES 3
emnoc
Esteemed Contributor III

Created on ‎02-14-2019 11:56 AM

Yes and that's about normal. We use one  privateCA certificate and it ease of management. Just make sure you trust the certificate for your applications.

 

if you stroke a unique certificate AND for each Firewall ( 50+ ) , you will have to figure out a way to deploy it to the end-user. That would be a nightmare ;)

 

Now if you have a business requirement for a specific need, than yes craft a unique cert for that business-dept.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1887
0 Kudos
fcb
Contributor
In response to emnoc

Created on ‎02-14-2019 12:01 PM

appreciate the reply.... can't think of a use case where we'd need different certs for different departments.

 

So, I'm thinking I take the existing cert I am using on the edge firewall and manipulate that with something like OpenSSL so I can get private key and the like or do I need to even do that? Can I just download this cert from the edge and upload it to the others and it work? I think the answer to that is no because w/o generating a new CSR the other firewalls will not allow this cert to import to them, right? I guess that's what we're missing here. How do I take this existing certificate (the one doing SSL inspection) and apply it to other devices.

 

Thanks again

1887
0 Kudos
emnoc
Esteemed Contributor III
In response to fcb

Created on ‎02-14-2019 02:59 PM

Download it and upload it to the  fortigate. Make a pkcs12  and import the  file into  fortigate and apply that in your ssl-inspection.

 

Since the existing  clients ( hopefully ) has the  ca-trust-root installed or deploy, nothing has to change on the client-side

 

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1887
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.