Preventing certificate warnings (CA-signed certificate)

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will prevent users from receiving a security certificate warning when your FortiGate performs full SSL inspection on incoming traffic. There are several methods for doing this, depending on whether you are using a CA-signed certificate, your FortiGate’s default certificate, or a self-signed certificate. This recipe explains how you can prevent certificate warnings when you are using a CA-signed certificate.

When full SSL inspection is used, your FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the end user. This is the same process used in “man-in-the-middle” attacks, which is why a user’s device may show a security certificate warning.

For more information about SSL inspection, see Why you should use SSL inspection.

Often, when users receive security certificate warnings, they simply select Continue without understanding why the error is occurring. To avoid encouraging this habit, you can  prevent the warning from appearing in the first place.

Find this recipe for other FortiOS versions
5.2 | 5.6

Using a CA-signed certificate

In this method, you obtain a CA-signed certificate and install this certificate on your FortiGate for use with SSL inspection. You can use either FortiAuthenticator as a CA or a trusted private CA.

If you use FortiAuthenticator as a CA, you generate a certificate signing request (CSR) on your FortiGate, have it signed on the FortiAuthenticator, import the certificate into your FortiGate, and configure your FortiGate so the certificate can be used for SSL deep inspection of HTTPS traffic.

If you use a trusted private CA, you generate a CSR on your FortiGate, apply for an SSL certificate from a trusted private CA, import the certificate into your FortiGate, and configure your FortiGate so the certificate can be used for SSL deep inspection of HTTPS traffic. 

If your FortiAuthenticator is not configured as a CA, see FortiAuthenticator as a Certificate Authority for more information.

1. Generating a CSR on a FortiGate

On your FortiGate, go to System > Certificates and select Generate to create a new CSR.

Enter a Certificate Name, the external IP of your FortiGate, and a valid email address.

Make sure to set Key Type to RSA and Key Size to 2048 Bit. This will ensure the certificate is securely encrypted.

 

Once generated, the certificate will show a Status of Pending. Highlight the certificate and select Download.

This will save a .csr file to your local drive.

 

 

2. Getting the certificate signed by a CA

Trusted private CA:

If you want to use a trusted private CA to sign the certificate, use the CSR to apply for an SSL certificate with a trusted private CA.

FortiAuthenticator:

If you want to use a FortiAuthenticator as a CA to sign the certificate, on the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and select Import.

Set Type to CSR to sign, enter a Certificate ID, and import the Example-cert.csr file. Make sure to select the Certificate authority from the drop-down menu and set the Hash algorithm to SHA-256.

Once imported, you should see that Example-cert has been signed by the FortiAuthenticator, showing a Status of Active, and with the CA Type of Intermediate (non-signing) CA. Highlight the certificate and select Export.

This will save a .crt file to your local drive.

 

 

 

 

3. Importing the signed certificate to your FortiGate

On your FortiGate, go to System > Certificates and select Local Certificate from the Import drop-down menu.  
Browse to the certificate file and select OK.
You should now see that the certificate has a Status of OK.

4. Editing the SSL inspection profile

To use your certificate in an SSL inspection profile go to Security Profiles > SSL/SSH Inspection. Use the dropdown menu in the top right corner to select deep-inspection, which is the profile used to perform full SSL inspection.

In FortiOS 5.6, the deep-inspection profile is read-only. In order to use your certificate for SSL inspection, you must create a new deep-inspection profile.

Set CA Certificate to use the new certificate.

5. Importing the certificate into web browsers

Once you have your certificate signed by FortiAuthenticator, you need to import the certificate into users’ browsers. 

The method you use for importing the certificate varies depending on the type of browser. 

Internet Explorer, Chrome, and Safari (on Windows and macOS):

Internet Explorer, Chrome, and Safari use the operating system’s certificate store for Internet browsing. If users will be using these browsers, you must install the certificate into the certificate store for the OS.

If you are using Windows 7/8/10, double-click the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard.

Use the wizard to install the certificate into the Trusted Root Certificate Authorities store. If a security warning appears, select Yes to install the certificate.

If you are using macOS, double-click the certificate file to launch Keychain Access.

Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.

Firefox (on Windows and macOS)

Firefox has its own certificate store. To avoid errors in Firefox, the certificate must be installed in this store, rather than in the OS.

If users are using Firefox, instead of being pushed to all of their devices, the certificate must be installed on each device.

In Firefox, go to Tools > Options > Advanced or Options > Advanced and select the Certificates tab.

Select View Certificates, then select the Authorities list. Import the certificate and set it to be trusted for website identification.

6. Results

 

Before you installed the certificate, an error message would appear in the browser when users accessed a site that used HTTPS (the example shows an error message appearing in Firefox).

After you install the certificate, users should not experience a certificate security issue when they browse to sites on which the FortiGate unit performs SSL content inspection.

 
 

Users can view information about the connection and the certificate that is used.

If users view information about the connection, they will see that it is verified by Fortinet.

 
 If users view the certificate in the browser, they will see which certificate is used and information about that certificate.  

For further reading, check out SSL/SSH Inspection in the FortiOS 5.6 Handbook.

Karyn Jacobs

Technical Writer at Fortinet
Karyn Jacobs is a technical writer on the FortiOS Technical Documentation team. She has a B.A.H. in English and a B.Ed. from Queen’s University, and has worked as a technical writer for the past 20 years at various high tech companies.
  • Was this helpful?
  • Yes   No
If you have the right environment, such as the Windows Group Policy Management Console, you can push the certificate to users’ browsers using the Windows Group Policy Editor. In this case, you do not have to import the certificate into users’ browsers.