security certificate issue with SSL VPN

Anne · ‎04-17-2013

Hi there, I just finished setting up SSL VPN for remote users on the fortigate 310. It is working fine. the only problem I see is that when I open the browser and enter the URL to access the portal, I get the following message: There is a problem with this website' s security certificate. The security certificate presented by this website was issued for a different website' s address. Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. When I ignore all the warnings, i am able to access everything. I am using the " Fortinet_CA_SSL_Proxy" certificate at the moment Thanks Anne

emnoc · ‎04-18-2013

Your right , but you have a fix for this & you will need to do some work. The root CA needs to be added to the client browser. By default all the common CA roots are installed into most browsers. Read the following link; http://kb.fortinet.com/kb/viewContent.do?externalId=FD32404

PCNSE

NSE

StrongSwan

DanW · ‎04-18-2013

Is there anyway to import a Godaddy certificate onto the Fortigate? Installing the fortigate CA onto every brower in my organization is a little tedious.

DanW · ‎04-18-2013

Nevermind I think I found it. You have to enable certificate management in the admin settings.

rwpatterson · ‎04-18-2013

We have an organizational wildcard cert. It installed onto the FGT without a problem.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Anne · ‎04-18-2013

http://kb.fortinet.com/kb/viewContent.do?externalId=FD32404

Hi there, @emnoc: I have already followed the instructions carefully as listed in the uRL below http://kb.fortinet.com/kb/viewContent.do?externalId=FD32404 and it still does not work. One of our previous administrator had installed PositiveSSL_CA certificate on the firewall. I can see it listed under System --> Certificates -->CA Certificates. What I am having trouble in using it is When I click on the VDOM for this customer, and click on the VPN --> Config and define the SSL-VPN settings, under Server Certificate drop down I do not see the PositiveSSl certificate. It only gives me the option to choose the certificates listed under " Local Certificates" under Global Settings. What am I doing wrong?? The SSL vPN is working fine though except for the security certificate warning. Thanks All

Maik · ‎04-19-2013

forget the CA cert. This is used for something else. Import your existing goDaddy cert under the " Local Certificates" with the " import" function. depending on the Certificate format, you have to choose the " Type" In case you cannot import it here Tell us the file type here/ What file extension does your go Daddy Cert have? (pfx? crt? etc?). as alternative you can open the the cert file in notepad and post the first line here.

Anne · ‎04-21-2013

Thanks Maik. I have sort of understood the real problem. We are using VDOM environment and we have got a multiple customers. Each customer is assigned a VDOM. Each customer wants to setup a SSL VPN for remote mobile clients. My understanding to achieve this is to: 1) Get a wild card certificate from each customer which uniquely identifies them. 2) In the Global properties, import each of these certificates under Local Certificates. 3) When creating SSL VPN, go to the VDOM for a customer and use this imported certificate under SSL--> Config --> Server Certificate. Is this right?? Thanks Anne

Maik · ‎04-22-2013

yes detail about 1). a wildcard cert is *.domain.tld. This is valid for everything under domain.tld (vpn.domain.tld, xyz.domain.tld etc (but not abc.xyz.domain.tld, but thats another story)) maybe a certificate with only one FQDN is sufficient (vpn.domain.tld) -> this is usually less expensive for your customer. :)

Anne · ‎04-22-2013

Thanks for this. But it sort of confused me :( (about certs) Any document you would suggest me to read??