Setting up certificate services to sign the Fortigate SSL proxy cert.

In order to avoid the invalid certificate message in your browser when using HTTPS deep scanning on the Fortigate you can get the SSL proxy certificate signed by the domain controller which would by default be trusted by a domain member PC.

The following article covers setting up certificate services on your domain controller.

Go to Start –> Administrative Tools –> Server Manager –> Add Roles

Here we will be choosing “Active Directory Certificate Services”:


The roles we want for AD certificate services are Certification Authority and Certification Authority Web Enrollment:


Make sure you have the admin permissions to install the Enterprise CA:

Once AD Certificate services is installed with Web Enrollment you should be able to access the CA website on your server at http:///certsrv

Make sure that you have the “Subordinate Certification Authority” template as this will be needed to generate the certificate required for SSL deep scanning on the Fortigate.

Leave a Reply