Avoiding certificate errors when SSL inspection is applied to traffic is an in-demand topic. There are a number of methods that you can use to prevent these warnings: installing self-signed certificates on client devices, using a certificate signed by a trusted CA, or using the certificate-inspection profile for SSL inspection. However, for all of these methods, certificate errors can still occur when you’ve blocked access to a page using web filtering and the FortiGate attempts to display a replacement message for that site using HTTPS.
This error occurs because, by default, the FortiGate does not use the same certificate for SSL inspection and the encryption of the replacement messages. To avoid these errors, you should first determine which certificate your FortiGate uses for replacement messages using the CLI. The command differs depending on which version of FortiOS you are using:
FortiOS 5.2 and earlier:
config webfilter fortiguard # get cache-mode : ttl cache-prefix-match : enable cache-mem-percent : 2 ovrd-auth-port-http : 8008 ovrd-auth-port-https: 8010 ovrd-auth-port-warning: 8020 ovrd-auth-https : enable warn-auth-https : enable close-ports : disable request-packet-size-limit: 0 ovrd-auth-hostname : ovrd-auth-cert : Fortinet_Firmware
The certificate Fortinet_Firmware is used by default. To avoid errors, you can either change this certificate to the certificate used for SSL inspection or you can install this certificate on all client devices. Which solution you choose depends on your own environment and what certificates you are already using.
config user setting # get auth-type : http https ftp telnet auth-cert : Fortinet_Factory auth-ca-cert : auth-secure-http : disable auth-http-basic : disable auth-timeout : 5 auth-timeout-type : idle-timeout auth-portal-timeout : 3 radius-ses-timeout-act: hard-timeout auth-blackout-time : 0 auth-invalid-max : 5 auth-lockout-threshold: 3 auth-lockout-duration: 0 auth-ports:
The certificate Fortinet_Factory is used by default. To avoid errors, you can either change this certificate to the certificate used for SSL inspection or you can install this certificate on all client devices. Which solution you choose depends on your own environment and what certificates you are already using.
In FortiOS 5.6, the command to locate the certificate is the same as in 5.4; however, you cannot set
auth-cert to the default certificate used for SSL inspection (Fortinet_SSL_CA). If you are using the default certificate, you should instead install the certificate Fortinet_CA into the trusted root store of all client devices, as this certificate was used to sign both Fortinet_Factory and Fortinet_SSL_CA.
For more information about SSL inspection and certificate errors, see the following resources: