Preventing certificate warnings

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This example illustrates how to prevent your users from getting a security certificate warning when you have enabled full SSL inspection (also called deep inspection).

A bad habit that many users have is selecting Continue when they receive a warning. Instead of encouraging this practice, you can use the examples below to prevent certificate warnings from appearing: Using the default FortiGate certificate or using a self-signed certificate.

For more information about SSL inspection, see Why you should use SSL inspection.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

Using the default FortiGate certificate

All FortiGates have a default certificate that is used for SSL deep inspection. This certificate is also used in the default deep-inspection profile.

To prevent your users from seeing certificate warnings you can distribute this certificate to your user’s devices.

1. Viewing the deep-inspection SSL profile

Go to Policy & Objects > SSL/SSH Inspection. In the upper-right hand drop down menu, select deep-inspection.

 

In this policy, the web categories Health and Wellness, Personal Privacy, and Finance and Banking are excluded from SSL inspection by default. Applications that require unique certificates, such as iTunes and Dropbox, have also been excluded.

2. Enabling certificate configuration in the web-based manager

Go to System > Config > Features. Click Show More, enable Certificates, and Apply the changes.

3. Downloading the Fortinet_CA_SSLProxy certificate

Go to System > Certificates > Local Certificates to download the Fortinet_CA_SSLProxy certificate.

Make the CA certificate file available to your users by checkmarking the box next to the certificate name.

 

4. Installing the certificate on the user’s browser

Internet Explorer:

Go to Tools > Internet Options. On the Content tab, select Certificates.

Go to Personal and import the certificate.

 

Microsoft Edge on Windows 10:

Right click the Windows Icon and choose Control Panel. Select Internet Options and choose Content > Certificates > Import. Import the certificate file.

 

For Firefox:

Depending on the version, go to Menu > Options or Preferences > Advanced and find the Certificates tab.

Select View Certificates, then select the Authorities list. Import the certificate file.

 

Chrome and Safari:

If you are using Chrome or Safari, you must install the certificate for the OS, rather than directly in the browser.

If you are using Windows, open the certificate file and select Install Certificate. The Import Wizard appears.

Import the certificate using the Import Wizard. Import the certificate into the Trusted Root Certification Authorities store.

 

Chrome and Safari on Windows 10:

After installing the certificate for the OS, open the Start Menu, type Manage Computer Certificates and select Trusted Root Certification Authorities from the left panel.

Select Action > All Tasks > Import from the top menu and Import the certificate.

 
 

If you are using Mac OS X, open the certificate file. Keychain Access opens.

Double-click the certificate. Expand Trust and select Always Trust.

 

5. Results

Before installing the FortiGate SSL CA certificate, even if you bypass the error message by selecting Continue to this website, the browser may still show an error in the toolbar.

After you install the FortiGate SSL CA certificate, you should not experience a certificate security issue when you browse to sites on which the FortiGate unit performs SSL content inspection.

iTunes will now be able to run without a certificate error.

 

 

Using a self-signed certificate

In this method, a self-signed certificate is created using OpenSSL. This certificate will then be installed on the FortiGate for use with SSL inspection.

In this recipe, OpenSSL for Windows version 0.9.8h-1 is used.

 

1. Creating a certificate with OpenSSL

If necessary, download and install Open SSL. Make sure that the file openssl.cnf is located in the BIN folder for OpenSSL.

Using  Command Prompt (CMD), navigate to the BIN folder (in the example, the command is cd c:\OpenSSL\openssl-0.9.8h-1-1bin\bin.

Generate an RSA key with the following command:

This RSA key uses AES 256 encryption and a 2058-bit key.

When prompted, enter a pass phrase for encrypting the private key.

 

OpenSSL genrsa -aes256 -out fgcaprivkey.pem 2048 -config openssl cnf

Use the following command to launch OpenSSL, submit a new certificate request, and sign the request:

The result is a standard x509 binary certificate that is valid for 3,650 days (approx. 10 years) 

When prompted, re-enter the pass phrase for encryption, then enter the details required for the certificate request, such as location and organization name.

openssl req - new -x509 -days 3650 -extensions v3_ca -key fgcaprivkey.pem -out fgcacert.pem - config openssl.cnf

Two new files have been created: a public certificate (fgcacert.pem) and a private key (in the example, fgcaprivkey.pem).

2. Enabling certificate configuration in the web-based manager

Go to System > Config > Features. Click Show More, enable Certificates, and Apply the changes. 

3. Importing the self-signed certificate

Once the CSR is signed by an enterprise root CA, you can import it into the FortiGate Unit.

Go to System > Certificates and select Import.

From the Type drop down menu select Certificate. Select Choose File to set your Certificate file to your public certificate and Key file to your private key. Enter the Password used when generating the certificate. If desired, you may also set a new Certificate Name.

 

The certificate now appears on the Local Certificates list.

 

4. Edit the SSL inspection profile

To use your certificate in an SSL inspection profile go to Policy & Objects > Policy > SSL/SSH Inspection. Edit the deep-inspection profile.

In the CA Certificate drop down menu, select the certificate you imported.

 

5. Editing your Internet policy to use full SSL inspection

Go to Policy & Objects > Policy > IPv4 and edit the policy controlling Internet traffic. Under Security Profiles, set SSL Inspection to deep-inspection.

For testing purposes, make sure Web Filter is set to default.

 

6. Importing the CA certificate into the web browser 

Internet Explorer:

Go to Tools > Internet Options. On the Content tab, select Certificates.

Go to Personal and import the certificate.

 
 

For Firefox:

Depending on the version, go to Menu > Options or Preferences > Advanced and find the Certificates tab.

Select View Certificates, then select the Servers list. Import the certificate file.

 

Chrome and Safari:

If you are using Chrome or Safari, you must install the certificate for the OS, rather than directly in the browser.

 

If you are using Windows, open the certificate file and select Install Certificate. The Import Wizard appears.

Import the certificate using the Import Wizard. Import the certificate into the Trusted Root Certification Authorities store.

 
 

If you are using Mac OS X, open the certificate file. Keychain Access opens.

Double-click the certificate. Expand Trust and select Always Trust.

 

7. Results

Before installing the self-certificate and using it for SSL inspection, even if you bypass the error message by selecting Continue to this website, the browser may still show an error in the toolbar.

After you install the self-signed certificate, you should not experience a certificate security issue when you browse to sites on which the FortiGate unit performs SSL content inspection.

 

If you view the website’s certificate information, the Issued By section should contain the information of your custom certificate, indicating that the traffic is subject to deep inspection.

 

For further reading, check out SSL/SSH Inspection in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
The deep-inspection profile will apply SSL inspection to the content of all encrypted traffic.
  • Odimar Branco

    https://uploads.disquscdn.com/images/2977cd07c4d28a5a0315d6e1c7617ded293a29af28ddfd0d7b83839d32fc3820.png
    Hello Victoria,
    It is possible for blocked https pages to be in the shape of the image I attached. And not with certificate error.

  • sub7even

    Hi Victoria,

    If i was using a valid cert from the internet like verisign digicert etc, how can i do it? Thank you

    Regards,

  • Facini Live (F4cini)

    Good afternoon,
    I performed the procedure as described in the tutorial in the first instance stopped the certificate error, but when I click Continue on the site that was blocked it gives the certificate error, could you help me in this matter?

  • Sandro Barros

    Hello!!!

    I want to know how to disable SSL warning when I am trying my FG80C access.
    This happens with all my devices, but I’d like to disable this warning.

    Example: https://192.168.0.1:444

    Thanks!

    • Victoria Martin

      Hi Sandros,

      The certificate used for access to the FortiGate is different than the one used for SSL inspection. Go to System > Admin > Settings and look for the HTTPS Server Certificate (likely called Fortinet_Factory). Once you have identified which certificate, you can use the instructions in this recipe to install that certificate on the device used for admin access on the FortiGate.

  • Ivan Carrillo Bustos

    I dont know a lot about certificates or HTTPS… but i have the next deal… I have a service running on my 50000 port… and i need ran under https… the problem is my domian is “fortiddns” and when i generate a csr and i put it in the request certificate of COMODO (for example) they show me a message “This domain is already certificate” so… what can i do?… if i do everything on this recipe im going to certificate the https in a specific port or my port 50000 is going to be certificate too? i am sorry if my question is dommy… i am really dont know a lot about this topic.

    • Victoria Martin

      Hello Ivan,

      You can only create a certificate for a domain that you own, which is why it won’t work for “fortiddns.”

      The certificate installed in this recipe will be used to trust all traffic that is encrypted using that certificate.

  • Alex Alvarez

    HI !

    We have external users it’s extremly hard to install any certificate on each device

    What is the main difference between self-signed and default fortigate certificate ? In both case certificate installation on users browser is required

    • Victoria Martin

      If you want to avoid installing a certificate on every browser, you will need to generate a CAR from the FortiGate and have it signed by a third-party, trusted CA that most major browsers will recognize and accept without a warning automatically.

  • Miquel Àngel Daniel

    Hi! I’m facing a similar issue but we can’t install certificates. We use an external captive portal for our customers we have 10 fortigate 300D and 4 1200D. When they connect to our wifi usually a browser pops-up showing the captive portal. But that not always happen, in that case if the customer try to reach any http site then the firewall redirect to the portal to authenticate, but if the customer try to reach a https instead then they get an ssl error. Any idea about how to fix that problem?

    • Is there a way to easily import the TL Cert on a Unix box for wget use?

  • Scott McGrath

    Is there a way to easily import the TL Cert on a Unix box for wget use?

    • Kerrie Newton

      Hi Scott,

      I haven’t tested this but keytool utility might be useful for you.

      http://www.tutorialspoint.com/unix_commands/keytool.htm

      Importing Certificates

      To import a certificate from a file, use the -import subcommand, as in

      keytool -import -alias joe -file jcertfile.cer

      This sample command imports the certificate(s) in the file jcertfile.cer and stores it in the keystore entry identified by the alias joe.

      Regards,
      Kerrie

  • Francisco Granados

    Has anybody figured out a way to do this for internal webservers + wildcard certificate?

    We are trying to use SSL inspection for inbound connections to our web servers, but users are seeing the cert warnings.

    I tried uploading the wild card cert issued by a CA but have not been unable to apply it to the policy.

    Thanks in advance.

    • Victoria Martin

      Hi Francisco,

      When you are applying SSL inspection to traffic to your web server, you need to use an SSL inspection profile that is set up to Enable inspection of Protecting SSL Server (rather than Multiple Clients Connecting to Multiple Servers, as is the case in the recipe above). Once you make this change, you should see your certificate in the available options.

      Hope that helps!

  • Thomas B

    Hello!

    I updated my spare 40C to 5.2.4 but the menu entry “Policy & Objects > SSL/SSH Inspection” is still missing. Any features except IPv6 and Wirless are turned on. Is this feature not available on a 40C unit because of performance issues?

    • Victoria Martin

      Hello Thomas,

      I believe that the 40C does support SSL Inspection; however, it may only be accessible using the CLI. Try using the command “config firewall ssl-ssh-profile” and edit the “deep-inspection” profile, to access the profile used in this recipe.

      Hope that helps!

  • TR

    Deprecated certificate in chain

    Dear all,

    I have
    managed to enable deep SSL inspection on Fortigate unit (OS ver 5.2.2) for the users
    browsing the Internet. The CA certificate from the Fortigate unit is introduced
    to network computers over the group policy, so in that sense there is no warning.
    However, I have other minor issue regarding the warnings. Browsers such as the Firefox
    and Chrome warn about deprecated RSA key and deprecated hash algorithm for the
    websites that the Fortigate CA certificate issues. Message from Chrome: The
    certificate chain for this website contains at least one certificate that was
    signed using a deprecated signature algorithm based on SHA-1

    The private
    CA certificate used for the deep SSL inspection has a public key RSA 4096 and SHA-256
    hash value, but for the visiting SSL website (e.g. https://google.com)
    which I want to inspect, the Fortigate unit issues website certificate *.google.com
    with RSA1024 and SHA-1 values.

    Can we configure the Fortigate unit in a way that the certificates issued by the Fortigate CA certificate have at least SHA-2 and RSA2048 values?

    • Sam Kidman

      This is a problem for me us as well. Please fix it in 5.4.

      • Anthony Munro

        Having the exact same problem here in 5.2.4

  • Lorenzo Massimi

    Victoria:

    I have a customer with Fortios versions: Fortigate-60C, v4.0. The customer wants to access a mail system with POPS, IMAPS and SMTP over TLS. Every outlook session warns about the fortigate certificate. How to disable SSL inspection on this fortigate unit? or an alternative What is the procedure to enable a third party certificate for avoid the outlook warns?

  • Marcial Duran

    I activated the certification feature, but this option appears empty..

    • Victoria Martin

      Hi Marcial,

      It sounds like you are having the same issue that popped up in this forum thread. From reading the thread, it sounds like this may be a known issue that should be resolved in FortiOS 5.2.4.

  • Victoria Martin

    Hello pg, sorry for the delay in responding to you, somehow this comment got passed us.

    Preventing certificate warnings has been successfully set up in real world settings. The issue is that the work around is more work than getting a certificate from a trusted authority specific to the site. A certificate can successfully encrypt the traffic in most cases even if it is not a trusted certificate.

    The warning that is quite commonly seen on FortiGate’s when the default certificate is used, is because the name on the certificate does not match the name on the intended destination. If you send SSL encrypted traffic to a web site at “example.com” behind a FortiGate, the browser is expecting to see “example.com” as the name of the site in the certificate. When they don’t match a warning message is generated by the browser. In most cases, once you get this you can add the site and the certificate combo to a white list and you won’t get the message any more.

    Having the message not appear in the first place without any effort on the part of the user is trickier. The certificate has to be imported into the browser of anyone accessing the site. In a corporate environment this can be done by the IT department before the computer is deployed to the user. For a site available to the public you would have to get the cooperation of everyone that was going to go to your site. This is why companies that sell certificates are still in business.

  • Bjørn Tore

    We have a wildcard CA certificate for our domain. I am however not able to import it to any of my Forti-products. Is there support for wildcard certificates? Or am I doing it wrong?

    I import the DigiCertCA.crt first.

    • Victoria Martin

      Wildcard CA certificates are supported by Fortinet products. You may want to call support and have them walk you through the import process, to see what’s going on. You can find the contact info at https://support.fortinet.com

      • Bjørn Tore

        I managed to get it to work. Turns out the GUI isn’t very helpful here – have to use cli.

        • Victoria Martin

          I’m glad you were able to get it working. We’ll look into adding information about using wildcard certificates using the CLI.

          • Simon Taylor

            Victoria, has there been any progress on providing this info?

        • Simon Taylor

          Bjørn, can you please share how you got your DigiCert wildcard certificate working in the CLI?

          • Bjørn Tore

            config system certificate local
            edit domain.com
            set comment “Wildcard Cert”
            set private-key “—–BEGIN PRIVATE KEY—–
            !”#¤%
            —–END PRIVATE KEY—–”

            set certificate “—–BEGIN CERTIFICATE—–
            !”#¤%
            —–END CERTIFICATE—–”

            end
            config system certificate ca

            edit “CA_Cert_1”
            set ca “—–BEGIN CERTIFICATE—–
            !”#¤%
            —–END CERTIFICATE—–”
            set comment “Created by CA certificate”
            next
            end

  • FC

    Hello and thanks for this information, I find it very clear and useful.
    I’m analysing the 2nd alternative, to get a certificate signed by a “recognized third-party CA”, so no user will receive warnings when the deep scanning occurs.
    Can you mention or recommend some “recognized third-party CA” that would issue this kind of certificates?

    I do not know how easy is to get one of these certificates and I am a bit lost here. Thanks!

    • Bruce Davis

      I normally don’t recommend third party products, because through some inexplicable chain of events you may end up having a bad experience, and quite frankly I don’t want you blaming me, so I normally just present some of the better possible options and let you decide based on your needs and preferences. It turns out that someone has already gone to the trouble, and it looks like he has compiled a very good list, complete with context to better help you decide.
      http://blog.pluralsight.com/top-reliable-ssl-certificates

      • FC

        Hi Bruce, thanks for your answer.
        Maybe my question was not very clear or maybe I am confused, but what I understood from the recipe method, is that what we need in a Fortigate for this fully-trusted alternative is a “Subordinate Certificate Authority” certificate signed by a Trusted CA -like any of the ones that are listed on the article you mentioned-.
        My question actually was about whether any of these trusted CA’s would sign a Subordinate CA certificate for my Fortigate or not.
        I understand the theory of this approach but I don’t know any public trusted CA that would actually sign my own subordinate CA, allowing me to issue as many “trusted” certificates as I would want…
        Do you know if there is any Fortigate implementation that got a Subordinate CA certificate signed by a Trusted CA? In that case, which trusted CA has signed?
        (Is this maybe a solution of thousands of dollars?)
        Greetings.

        • Bruce Davis

          Without having a more detailed understanding of what your ultimate objective is, it is hard to give you the answer to your best option, but one of the things I would suggest looking into would be wildcard certificates. It would essentially be a certificate for *.. It would cover secondary domains to your main domain such as:
          site1.
          mail.
          ecommerce.

          but it would not cover tertiary domains such as subsite.site1. or the primary domain, .

          This means you would need 2 certificates; one for the main domain name and a wildcard to handle all of the secondary domains.

          The price for a wildcard certificate is more expensive than a single site cert but it can be as low as hundreds of dollars rather than thousands of dollars, depending on the vendor.

          Most vendors will have support staff that will be able to discuss what your needs are and how to best provide solutions for them. I would recommend calling up at least 2 so that you can compare not only prices, but approaches to your needs. If you’re not an expert on the subject and don’t want to be one, get them to do as much of the heavy lifting as possible.

          • Nikolaï SALIEVITCH

            Thanks for your answer but what’s not very clear is the certificate Type. You mention previously that the template must be “Subordinate Certificate Authority” and as Bruce said, I don’t know any Public CA who accept to signed this kind of Certificate without asking and checking very strong prerequisite. Such a certificate means that your company can issue as many certs as you want with the recognition of the Public Trust CA. So it’isnt possible for juste implementing deep inspection in a fortigate.

            So the question is if a normal server or wildcard certificate is valid and supported by Fortinet for deep inspection ?

            I think the response is NO as the Fortigate really act as an intermediate CA, when it dynamically signed a server certificate for http://www.google.com, or youtube.com.

            So I’m really curious about implementation for small business, or big deployment of deep inspection.

            Can we have an official technical response on this subject ?

            Thank in advance for your feedback.

  • JJ

    We have installed a SubCA and for WebFilter / Explicit proxy we’re great… But for those times when traffic is blocked or times out and you get the square ASCII blue bow with the error message in it, when SSL it’s still using the FG CA to sign those certs, how/ where do I that???

    • Bruce Davis

      Not sure that I recognize the reference to a square ASCII blue bow with the error message in it, but the first logical place to look would be the SSL inspection profile used on the policy that the traffic is going through. This is where you would be able to set the certificate.

  • pg

    Hi, have you gotten this to work in a real world setting? Just trusting the certificate issuer is not enough to prevent warnings. You must also be presented with a certificate that is issued TO the same name your attempting to reach. For example, you go to https://www.google.com, the fortigate intercepts it and presents you with a cert that you trust, but it’s issued to “fortigate” or “*.ipower.com”. We have seen this on all of our fortigate deployments and there is no way to issue a cert to every name in the world. How do you get around this?

  • fortipem

    Thanks for this “recipe” in the cookbook. I’ve got a question about the certificat type: you specified an IP host based for the SSL inspection and that’s normal as the fortigate is the default Gateway (generally) in the network. But is it required ?

    Actually, some CA provider need a fqdn to generate certificate (like godaddy from 1. nov 2015). How do you deal with that ? Another issue is when you have multiple subnet connected to the fortigate: which IP must I enter ?

    Can I enter the DNS name ? Thank you for your help !

    • telbar

      Hello,
      In the Subject Information > ID Type, “Host IP” is a means to specify the ID of the certificate issuer, thus it’s not required you can choose other option such “Domain name”.
      Let me know how it goes.
      Taher.

    • Can I enter the DNS name ? Thank you for your help ! please help me!

      • This example illustrates how to prevent your users from getting a security certificate warning when you have enabled full SSL inspection (also called deep inspection).