Fortigate HTTPS deep scanning and invalid certificates

 

The Fortigate has the ability to perform HTTPS deep scanning on traffic to enforce corporate policies. The default certificate used by the Fortigate for this (Fortinet_CA_SSLProxy) will cause invalid certificate errors in users browsers as this certificate was not signed by a CA that is trusted in client browsers. To prevent the invalid certificate errors the Fortinet_CA_SSLProxy certificate can be downloaded from the Fortigate and installed in users’ browsers. In a domain environment it may be more useful to generate a certificate request on the Fortigate and get it signed by a domain controller (Certificate Authority will need to be installed on the domain controller), this certificate will then be trusted by all PCs that are members of the domain. Internet Explorer and Chrome browsers use the Windows store of trusted certificates however Firefox only uses it’s own list of trusted CAs and therefore this certificate would still need to be imported into Firefox.

This document assumes that you have Active Directory Certificate Services with the Certificate Authority and Web Enrollment roles already installed. A quick tutorial on setting those up can be found here

Let’s begin by generating a certificate request:

System –> Certificates –> Local Certificates –> Generate

When the certificate request is generated you’ll download it to your PC:

Once downloaded you can open it in a text editor such as Wordpad, it should look something like this:

-----BEGIN CERTIFICATE REQUEST-----
MIICbzCCAVcCAQAwFzEVMBMGA1UEAxMMTXlEb21haW4uY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuHeqeJlKgvqj/hOEmVi+XXnw1QAvYyzPTDGz
EckK6p8608i5cZCVBtoDmixwTTX+tA2QBJWMqNKgK/Q+dWmlCNVQ0SmsITBbRRXr
0gTsZZb4O8EGMTtRzvSRkc8ZoEM885H55DIxOPq/whFEfcb/EH1DHfXulPhb9Hoa
SNcJuY1bSADwnyCbMH5YatulGd/rh1lK29oUJQNnSfBKyE607/HgcqZTssEFM+Lp
83qe0WHEAvK3ZzzQ92MAd3NHp5UXWbLNMo2aea5aUhbg53PQKutM2YSeVS2UERE2
n8qIxyFFLXLj6pJntFUVyVn4jmfqOJjRV22c2IG3o4tD0bJCrwIDAQABoBMwEQYD
VR0TMQoTCENBOkZBTFNFMA0GCSqGSIb3DQEBBQUAA4IBAQCfspfEd+BIW5BIqgJq
InYWWucIypUUtYAo2WY/LB10k84AZwm7NnM81579/bmQs9rdzEOg8PTSsktWvPcE
7nA2XBjBrXP2KVJF65kuF6GRLwjvJH3oXx694WNcur5G19MmGgtc,+yHhTnAERND1
QFCH6g+qF4dNU2QQuroqC6p1yjMWnyM8sOYcsWm+l2Wn7ZXZ74nlwwl+bfN7XfrL
DYimQXUPSNkTOnZGbfrh643b6tONYPMYcL2YAXL2hgMsAk5Cc7lz5xUbyndGJ1FH
XJ4IcIA6ycS/rtEi/9HqAq9NPt5wch1TE7lsK2H3V6+Mak3FjglLJ/wTX/2+z9mp
xutw
-----END CERTIFICATE REQUEST-----


You’ll need to copy the contents of the certificate request to the clipboard. Next open a browser and navigate to the Certificate Services Web Enrollment on your domain controller:

http://x.x.x.x/certsrv          (x.x.x.x is the ip or host name of your DC with CA installed)

Select “Request a Certificate”, then “submit an advanced certificate”, this is where you’ll paste the contents of the certificate request.

Make sure you select the “Subordinate Certificate Authority” template. After submitting, the signed certificate is ready to download from your DC (certnew.cer) and import back into the Fortigate:

Verify that the certificate imported successfully and you can view it under Local Certificates:


In v4 the certificate used for SSL proxy (deep scanning) must be changed via CLI:

config firewall ssl setting
set caname AD_CA
end

Starting in FortiOS v5 the certificate can be set in the GUI via UTM Proxy Options

If you now test navigating to an SSL encrypted website on a domain member computer you should see that your browser no longer gives you certificate errors.

2 thoughts on “Fortigate HTTPS deep scanning and invalid certificates

  1. I was provided your webpage back a Fortinet TAC Representative. I appreciate the information that you have out here. I have followed your steps to stop the invalid certificate error when running HTTPS Deep Scanning.

    I am still however having trouble with it. I am receiving an error now that states. “This Certificate cannot be verified up to a trusted certification authority.” The certificate is coming from my AD Server though.

    Do you have any thoughts on what I may have done wrong? Or do I need to get a wildcard Cert from a godaddy or someone of that nature?

    • Are you testing this with Firefox? Firefox doesn’t use the Windows Certificate store so the AD root certificate needs to be installed in Firefox… IE and Chrome do use the Windows certificate store so if the computer is a domain member then those browsers should automatically trust the certificate.

Leave a Reply