Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
damianhlozano
Contributor

Created on ‎08-25-2022 01:38 PM

Use a web server certificate for deep inspection

Hello team!!!

 

Just a basic question

We have a third party certificate issued from a trusteed certificate authority, for our web server.

Is it possible to use the same certificate for doing deep inspection in outgoing fortigate policies?  Is there any requirement for this certificate to work?

What are the steps to import this certificate into a Fortigate in 7.2.1 ?

 

Thanks in advance.

Regards,

Damián

 

Damián Lozano
Damián Lozano
Labels:
1518
0 Kudos
1 Solution
abelio
SuperUser
SuperUser

Created on ‎08-25-2022 02:08 PM

damianhlozano wrote:

Is it possible to use the same certificate for doing deep inspection in outgoing fortigate policies?  Is there any requirement for this certificate to work?

Hi

Unfortunately not, you can't use it do that (no commercial isssued certificates can´t I guess)

For deep inspection your certificate must have attribute CA=TRUE or KeyUsage=KeyCertSign

That certificate allows your FGT to issue certificates (and private keys) on the flight.

 

regards




/ Abel

View solution in original post

regards / Abel
1512
0 Kudos
4 REPLIES 4
abelio
SuperUser
SuperUser

Created on ‎08-25-2022 02:08 PM

damianhlozano wrote:

Is it possible to use the same certificate for doing deep inspection in outgoing fortigate policies?  Is there any requirement for this certificate to work?

Hi

Unfortunately not, you can't use it do that (no commercial isssued certificates can´t I guess)

For deep inspection your certificate must have attribute CA=TRUE or KeyUsage=KeyCertSign

That certificate allows your FGT to issue certificates (and private keys) on the flight.

 

regards




/ Abel

regards / Abel
1513
0 Kudos
kcheng
Staff
Staff

Created on ‎08-25-2022 07:17 PM

Hi @damianhlozano 

 

Just like the fact mentioned by abelio, you can't use a web server certificate for deep inspection. The process of deep inspection includes decryption and re-encryption of the packet post content scanning. Hence, it is necessary to equip the certificate with a subCA attribute. You may refer to the documents below for the explanation and steps to generate the certificate if required:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/605938/why-you-should-use-ssl-inspection

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/680736/microsoft-ca-deep-packet-inspecti...

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
1501
0 Kudos
damianhlozano
Contributor
In response to kcheng

Created on ‎08-26-2022 05:16 AM

Thanks for the information guys!!!

 

Damián Lozano
Damián Lozano
1492
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎08-26-2022 06:35 AM

that's also the reason why no commercial certs can be used. There is seemingly no commerical CA out there that would issue you a sub-ca certificate :)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
1486
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.