FortiAuthenticator Certificate with SSL Inspection

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

For this recipe, you will create a certificate on the FortiGate, have it signed on the FortiAuthenticator, and configure the FortiGate so that the certificate can be used for SSL deep inspection of HTTPS traffic.

Note that, for this configuration to work correctly, the FortiAuthenticator must be configured as a certificate authority (CA), otherwise the certificate created in this recipe will not be trusted. For more information on how to do this, see FortiAuthenticator as a Certificate Authority.

This scenario includes creating a certificate signing request (CSR), signing the certificate on the FortiAuthenticator, and downloading the signed certificate back to the FortiGate. You will then create an SSL/SSH Inspection profile for full SSL inspection, add the certificate created to the profile, and apply the profile to the policy allowing Internet access.

As an example, you will also have Application Control with Deep Inspection of Cloud Applications enabled. This will apply inspection to HTTPS traffic. Note that you may use another security profile instead of Application Control.

1. Creating a CSR on the FortiGate

On the FortiGate, go to System > Certificates and select Generate to create a new CSR.

Enter a Certificate Name (Ramtops), the public IP of the FortiGate (172.20.121.92), and a valid email address.

Make sure to set Key Type to RSA and Key Size to 2048 Bit. This will ensure the certificate is securely encrypted.

Once created, the certificate Ramtops will show a Status of Pending. Highlight Ramtops and select Download.

This will save a .csr file to your local drive.

2. Creating an Intermediate CA on the FortiAuthenticator

On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and select Import.

Set Type to CSR to sign, enter a Certificate ID, and import the Ramtops.csr file. Make sure to select the Certificate authority from the dropdown menu and set the Hash algorithm to SHA-256.

Once imported, you should see that Ramtops has been signed by the FortiAuthenticator, showing a Status of Active, and with the CA Type of Intermediate (non-signing) CA. Highlight the certificate and select Export.

This will save a .crt file to your local drive.

3. Importing the signed certificate on the FortiGate

Back on the FortiGate, go to System > Certificates and select Local Certificate from the Import dropdown menu.

Browse to the Ramtops.crt file and select OK.

 

You should now see that Ramtops has a Status of OK.

4. Configuring Application Control

Go to Security Profiles > Application Control and edit the default profile.

Under Options, enable Deep Inspection of Cloud Applications.

5. Configuring full SSL inspection

Go to Policy & Objects > Policy > SSL/SSH Inspection and create a new profile.

Enter a Name, select Ramtops from the CA Certificate dropdown menu, and make sure Inspection Method is set to Full SSL Inspection.

Next go to Policy & Objects > Policy > IPv4 and edit the policy that allows Internet access.

Under Security Profiles, enable SSL/SSH Inspection and select the ramtops profile created earlier.

Enable Application Control and set it to default.

6. Results

To test the certificate, open your web browser and attempt to navigate to an HTTPS website (in the example, https://www.dropbox.com).

If you click on the lock icon next to the address bar, you should now see that the certificate from the FortiGate (172.20.121.92) has signed and verified access to the site. As a result, no certificate errors will appear.

Adam Bristow

Adam Bristow

Technical Writer at Fortinet
Adam Bristow is a Technical Writer working for the FortiOS technical documentation team. He has a Honours Bachelor of Arts in English and Minor in Film Studies and a graduate certificate in Technical Writing from Algonquin College. Stay tuned for more FortiOS Cookbook videos!
Adam Bristow

Latest posts by Adam Bristow (see all)

  • Was this helpful?
  • Yes   No