Preventing certificate warnings

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This example illustrates how to prevent your users from getting a security certificate warning when you have enabled full SSL inspection (also called deep inspection).

A bad habit that many users have is selecting Continue when they receive a warning. Instead of encouraging this practice, you can use the examples below to prevent certificate warnings from appearing: Using the default FortiGate certificate or using a self-signed certificate.

For more information about SSL inspection, see Why you should use SSL inspection.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

Using the default FortiGate certificate

All FortiGates have a default certificate that is used for SSL deep inspection. This certificate is also used in the default deep-inspection profile.

To prevent your users from seeing certificate warnings you can distribute this certificate to your user’s devices.

1. Viewing the deep-inspection SSL profile

Go to Policy & Objects > SSL/SSH Inspection. In the upper-right hand drop down menu, select deep-inspection.

 

In this policy, the web categories Health and Wellness, Personal Privacy, and Finance and Banking are excluded from SSL inspection by default. Applications that require unique certificates, such as iTunes and Dropbox, have also been excluded.

2. Enabling certificate configuration in the web-based manager

Go to System > Config > Features. Click Show More, enable Certificates, and Apply the changes.

3. Downloading the Fortinet_CA_SSLProxy certificate

Go to System > Certificates > Local Certificates to download the Fortinet_CA_SSLProxy certificate.

Make the CA certificate file available to your users by checkmarking the box next to the certificate name.

 

4. Installing the certificate on the user’s browser

Internet Explorer:

Go to Tools > Internet Options. On the Content tab, select Certificates.

Go to Personal and import the certificate.

 

Microsoft Edge on Windows 10:

Right click the Windows Icon and choose Control Panel. Select Internet Options and choose Content > Certificates > Import. Import the certificate file.

 

For Firefox:

Depending on the version, go to Menu > Options or Preferences > Advanced and find the Certificates tab.

Select View Certificates, then select the Authorities list. Import the certificate file.

 

Chrome and Safari:

If you are using Chrome or Safari, you must install the certificate for the OS, rather than directly in the browser.

If you are using Windows, open the certificate file and select Install Certificate. The Import Wizard appears.

Import the certificate using the Import Wizard. Import the certificate into the Trusted Root Certification Authorities store.

 

Chrome and Safari on Windows 10:

After installing the certificate for the OS, open the Start Menu, type Manage Computer Certificates and select Trusted Root Certification Authorities from the left panel.

Select Action > All Tasks > Import from the top menu and Import the certificate.

 
 

If you are using Mac OS X, open the certificate file. Keychain Access opens.

Double-click the certificate. Expand Trust and select Always Trust.

 

5. Results

Before installing the FortiGate SSL CA certificate, even if you bypass the error message by selecting Continue to this website, the browser may still show an error in the toolbar.

After you install the FortiGate SSL CA certificate, you should not experience a certificate security issue when you browse to sites on which the FortiGate unit performs SSL content inspection.

iTunes will now be able to run without a certificate error.

 

 

Using a self-signed certificate

In this method, a self-signed certificate is created using OpenSSL. This certificate will then be installed on the FortiGate for use with SSL inspection.

In this recipe, OpenSSL for Windows version 0.9.8h-1 is used.

 

1. Creating a certificate with OpenSSL

If necessary, download and install Open SSL. Make sure that the file openssl.cnf is located in the BIN folder for OpenSSL.

Using  Command Prompt (CMD), navigate to the BIN folder (in the example, the command is cd c:\OpenSSL\openssl-0.9.8h-1-1bin\bin.

Generate an RSA key with the following command:

This RSA key uses AES 256 encryption and a 2058-bit key.

When prompted, enter a pass phrase for encrypting the private key.

 

OpenSSL genrsa -aes256 -out fgcaprivkey.pem 2048 -config openssl cnf

Use the following command to launch OpenSSL, submit a new certificate request, and sign the request:

The result is a standard x509 binary certificate that is valid for 3,650 days (approx. 10 years) 

When prompted, re-enter the pass phrase for encryption, then enter the details required for the certificate request, such as location and organization name.

openssl req - new -x509 -days 3650 -extensions v3_ca -key fgcaprivkey.pem -out fgcacert.pem - config openssl.cnf

Two new files have been created: a public certificate (fgcacert.pem) and a private key (in the example, fgcaprivkey.pem).

2. Enabling certificate configuration in the web-based manager

Go to System > Config > Features. Click Show More, enable Certificates, and Apply the changes. 

3. Importing the self-signed certificate

Once the CSR is signed by an enterprise root CA, you can import it into the FortiGate Unit.

Go to System > Certificates and select Import.

From the Type drop down menu select Certificate. Select Choose File to set your Certificate file to your public certificate and Key file to your private key. Enter the Password used when generating the certificate. If desired, you may also set a new Certificate Name.

 

The certificate now appears on the Local Certificates list.

 

4. Edit the SSL inspection profile

To use your certificate in an SSL inspection profile go to Policy & Objects > Policy > SSL/SSH Inspection. Edit the deep-inspection profile.

In the CA Certificate drop down menu, select the certificate you imported.

 

5. Editing your Internet policy to use full SSL inspection

Go to Policy & Objects > Policy > IPv4 and edit the policy controlling Internet traffic. Under Security Profiles, set SSL Inspection to deep-inspection.

For testing purposes, make sure Web Filter is set to default.

 

6. Importing the CA certificate into the web browser 

Internet Explorer:

Go to Tools > Internet Options. On the Content tab, select Certificates.

Go to Personal and import the certificate.

 
 

For Firefox:

Depending on the version, go to Menu > Options or Preferences > Advanced and find the Certificates tab.

Select View Certificates, then select the Servers list. Import the certificate file.

 

Chrome and Safari:

If you are using Chrome or Safari, you must install the certificate for the OS, rather than directly in the browser.

 

If you are using Windows, open the certificate file and select Install Certificate. The Import Wizard appears.

Import the certificate using the Import Wizard. Import the certificate into the Trusted Root Certification Authorities store.

 
 

If you are using Mac OS X, open the certificate file. Keychain Access opens.

Double-click the certificate. Expand Trust and select Always Trust.

 

7. Results

Before installing the self-certificate and using it for SSL inspection, even if you bypass the error message by selecting Continue to this website, the browser may still show an error in the toolbar.

After you install the self-signed certificate, you should not experience a certificate security issue when you browse to sites on which the FortiGate unit performs SSL content inspection.

 

If you view the website’s certificate information, the Issued By section should contain the information of your custom certificate, indicating that the traffic is subject to deep inspection.

 

For further reading, check out SSL/SSH Inspection in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
The deep-inspection profile will apply SSL inspection to the content of all encrypted traffic.