Preventing certificate warnings

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will prevent users from receiving a security certificate warning when your FortiGate applies full SSL inspection to incoming traffic.

When full SSL inspection is used, your FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the end user. This is the same process used in “man-in-the-middle” attacks, which is why a user’s device may show a security certificate warning.

For more information about SSL inspection, see Why you should use SSL inspection.

Often, when a user receives a security certificate warning, they simply select Continue without understanding why the error is occurring. To avoid encouraging this habit, you can  prevent the warning from appearing in the first place.

There are two methods for doing this, depending on whether you are using your FortiGate’s default certificate or using a self-signed certificate.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

Using the default certificate

All FortiGates have a default certificate that is used for full SSL inspection. This certificate is also used in the default deep-inspection profile. To prevent your users from seeing certificate warnings, you can install this certificate on your users’ devices.

If you have the right environment, you can distribute the certificate and have it installed automatically.

 

1. Generating a unique certificate

Run the following CLI command to make sure that your SSL certificate is unique to your FortiGate:

exec vpn certificate local generate default-ssl-ca

2. Downloading the certificate used for full SSL inspection

Go to Security Profiles > SSL/SSH Inspection. Use the dropdown menu in the top right corner to select deep-inspection, the profile used to apply full SSL inspection.

 

The default FortiGate certificate is listed as the CA Certificate. Select Download Certificate.

 

3. Installing the certificate on the user’s browser

Internet Explorer, Chrome, and Safari (on Windows or Mac OS):

The above browsers use the operating system’s certificate store for Internet browsing. If your users will be using these applications, you must install the certificate into the certificate store for your OS.

If you are using Windows 7/8/10, double-click on the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard.

Use the wizard to install the certificate into the Trusted Root Certificate Authorities store. If a security warning appears, select Yes to install the certificate.

 

If you are using Mac OS X, double-click on the certificate file to launch Keychain Access.

Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.

 

If you have the right environment, the certificate can be pushed to your users’ devices. However, if Firefox is used, the certificate must be installed on each individual device, using the instructions below.

Firefox (on Windows or Mac OS)

Firefox has its own certificate store. To avoid errors in Firefox, then the certificate must be installed in this store, rather than in the OS.

Go to Tools > Options > Advanced or Firefox > Preferences > Advanced and find the Certificates tab.

Select View Certificates, then select the Authorities list. Import the certificate and set it to be trusted for website identification.

 

4. Results

Before installing the certificate, an error message would appear in the browser when a site that used HTTPS was accessed (the example shows an error message appearing in Firefox).

After you install the certificate, you should not experience a certificate security issue when you browse to sites on which the FortiGate unit performs SSL content inspection.

If you view information about the connection, you will see that it is verified by Fortinet.

 

Using a self-signed certificate

In this method, a self-signed certificate is created using OpenSSL. This certificate will then be installed on the FortiGate for use with SSL inspection.

In this recipe, OpenSSL for Windows version 0.9.8h-1 is used.

1. Creating a certificate with OpenSSL

If necessary, download and install Open SSL. Make sure that the file openssl.cnf is located in the BIN folder for OpenSSL.

Using Command Prompt (CMD), navigate to the BIN folder (in the example, the command is cd c:\OpenSSL\openssl-0.9.8h-1-1bin\bin.

Generate an RSA key with the following command:

OpenSSL genrsa -aes256 -out fgcaprivkey.pem 2048 -config openssl cnf

This RSA key uses AES 256 encryption and a 2058-bit key.

When prompted, enter a pass phrase for encrypting the private key.

Use the following command to launch OpenSSL, submit a new certificate request, and sign the request:

openssl req - new -x509 -days 3650 -extensions v3_ca -key fgcaprivkey.pem -out fgcacert.pem - config openssl.cnf

The result is a standard x509 binary certificate that is valid for 3,650 days (approx. 10 years)

When prompted, re-enter the pass phrase for encryption, then enter the details required for the certificate request, such as location and organization name.

Two new files have been created: a public certificate (fgcacert.pem) and a private key (in the example, fgcaprivkey.pem).

2. Enabling certificate configuration in the web-based manager

Go to System > Feature Select. Under Additional Features, enable Certificates and Apply the changes.
 

3. Importing the self-signed certificate

Go to System > Certificates and select Import > Local Certificate.

Set Type to Certificate, then select your Certificate file and Key file. Enter the Password used to create the certificate.


 

The certificate now appears on the Local CA Certificates list.

 

4. Edit the SSL inspection profile

To use your certificate in an SSL inspection profile go to Security Profiles > SSL/SSH Inspection. Use the dropdown menu in the top right corner to select deep-inspection, the profile used to apply full SSL inspection.

 

Set CA Certificate to use the new certificate.

Select Download Certificate, to download the certificate file needed in the next step.

 

5. Importing the certificate into the web browser

Internet Explorer, Chrome, and Safari (on Windows or Mac OS):

The above browsers use the operating system’s certificate store for Internet browsing. If your users will be using these applications, you must install the certificate into the certificate store for your OS.

If you are using Windows 7/8/10, double-click on the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard.

Use the wizard to install the certificate into the Trusted Root Certificate Authorities store. If a security warning appears, select Yes to install the certificate.

If you are using Mac OS X, double-click on the certificate file to launch Keychain Access.

Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.

 

If you have the right environment, the certificate can be pushed to your users’ devices. However, if Firefox is used, the certificate must be installed on each individual device, using the instructions below.

Firefox (on Windows or Mac OS)

Firefox has its own certificate store. To avoid errors in Firefox, then the certificate must be installed in this store, rather than in the OS.

Go to Tools > Options > Advanced or Firefox > Preferences > Advanced and find the Certificates tab.

Select View Certificates, then select the Authorities list. Import the certificate and set it to be trusted for website identification.

 

6. Results

Before installing the certificate, an error message would appear in the browser when a site that used HTTPS was accessed (the example shows an error message appearing in Firefox).

After you install the certificate, you should not experience certificate errors when you browse to sites on which the FortiGate unit performs SSL content inspection.

If you view information about the certificate in the browser, you will see that your self-signed certificate is used.

 

 

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin
  • Was this helpful?
  • Yes   No
  • Ranjit

    Hi,
    In my company i have enabled user authentication (not local, through AD). My company wants rule as when employees come in the office in the morning… they should get authenticated by placing firewall ip in the browser, For e.g https:// 192.168.1.1:4125
    Then employees will put their AD credentials and will get authenticated and then only they should be able to browse websites. I have configured it succesfully but many times fortinet üsername and password”page is not opening…showing certificate warning.
    Can anyone please let me know solution on this…We want whenever user puts URL in the browser as
    https:// Firewall_IP:4125….fortinet page should open without certificate error.

    Thanks
    Ranjit

  • Rabzy

    Hello everyone, I created a Csr on the fortigate and it shows pending as expected. But when I download and open the file. It is blank. Please what might be the issue.

  • Kerrie Newton

    Hello Zaid,

    Generally you would have a policy for webmail traffic which you do not need to enable SSL inspection on. This would still allow you to perform SSL inspection on the policy that allows HTTPS traffic without affecting your mail traffic.

    Regards,
    Kerrie

  • Zaid O. Jilani

    what about outlook? or any other email clients connected using SMTPs POP3s IMAPs ….. every documentation is only talking about HTTPs and web browsing, I am planing to activate SSL Deep inspection but do not want to run into problems with the emails!

    • Kerrie Newton

      Hello Zaid,

      Generally you would have a policy for webmail traffic which you do not need to enable SSL inspection on. This would still allow you to perform SSL inspection on the policy that allows HTTPS traffic without affecting your mail traffic.

      Regards,
      Kerrie

      • Zaid O. Jilani

        Hello Kerrie,

        Thanks for your answer.
        So if I understood right, I need to create 2 policies, one that performs SSL inspection on HTTPs traffic, and another one for “webmail” traffic without SSL inspection….
        What am I trying to achieve mainly is stop viruses carried as email attachments, the end users of our network are using outlook and Thunderbird, some use POP3 SSL/TLS, other IMAPs, the mail servers are not hosted locally but in the cloud!!
        After I achieve that I need to start the inspection of HTTPS traffic.
        Can you kindly give me more details of what should I enable on each policy, keeping in mind that the unit is operating in a transparent mode and not in NAT

    • zuber

      seems like fortinet didnot consider that emails also needs to be scanned