Preventing certificate warnings (CA-signed certificate)

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

In this recipe, you prevent users from receiving a security certificate warning when your FortiGate performs full SSL inspection on incoming traffic. There are several methods for doing this, depending on whether you’re using a CA-signed certificate, as presented here, your FortiGate’s default certificate, or a self-signed certificate.

When you enable full SSL inspection, your FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the end user. This is the same process used in “man-in-the-middle” attacks, which is why a user’s device may show a security certificate warning.

For more information about SSL inspection, see Why you should use SSL inspection.

Often, when users receive security certificate warnings, they simply select Continue without understanding why the error is occurring. To avoid encouraging this habit, you can prevent the warning from appearing in the first place.

Find this recipe for other FortiOS versions
5.2 | 5.45.6 | 6.0

Using a CA-signed certificate

In this method, you obtain a CA-signed certificate and install this certificate on your FortiGate to use with SSL inspection. In order to implement SSL inspection, you also another security profile to your policy controlling Internet traffic. You can use either FortiAuthenticator as your CA or a trusted private CA.

If you use FortiAuthenticator as a CA, you generate a certificate signing request (CSR) on your FortiGate, have it signed on the FortiAuthenticator, import the certificate into your FortiGate, and configure your FortiGate to use the certificate for SSL deep inspection of HTTPS traffic.

If you use a trusted private CA, you generate a CSR on your FortiGate, apply for an SSL certificate from the trusted private CA, import the certificate into your FortiGate, and configure your FortiGate so the certificate can be used for SSL deep inspection of HTTPS traffic. 

If your FortiAuthenticator is not configured as a CA, see Certificate authorities in the FortiAuthenticator 5.3 Online Help.

1. Generating a CSR on a FortiGate

On your FortiGate, create a new CSR by going to System > Certificates and select Generate.

Enter a Certificate Name, the external IP of your FortiGate, and a valid email address.

To ensure the certificate is securely encrypted, set Key Type to RSA and Key Size to 2048 Bit (the industry standard).

Once generated, the certificate shows a Status of Pending. To save the .csr file to your local drive, highlight the certificate and select Download.

2. Getting the certificate signed by a CA

Trusted private CA:

If you want to use a trusted private CA to sign the certificate, use the CSR to apply for an SSL certificate with your trusted private CA.

FortiAuthenticator:

If you want to use a FortiAuthenticator as a CA to sign the certificate, on the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and select Import.

Set Type to CSR to sign, enter a Certificate ID, and import the example-cert.csr file. Make sure to select the Certificate authority from the drop-down menu and set the Hash algorithm to SHA-256.

Once imported, you should see that example_cert has been signed by the FortiAuthenticator, showing a Status of Active, and with the CA Type of Intermediate (non-signing) CA. Highlight the certificate and select Export.

This will save the example_cert.crt file to your local drive.

3. Importing the signed certificate to your FortiGate

On your FortiGate, go to System > Certificates and select Local Certificate from the Import drop-down menu.
Browse to the certificate file and select OK.
You should now see that the certificate has a Status of OK.

4. Editing the SSL inspection profile

To use your certificate in an SSL inspection profile go to Security Profiles > SSL/SSH Inspection. Use the dropdown menu in the top right corner to select deep-inspection.

The deep-inspection profile is read-only. To use the CA-signed certificate for SSL inspection, you must clone the deep-inspection profile and configure the new profile to use your certificate. In this example, the name of the profile is custom-deep-inspection.

Set CA Certificate to use the new certificate.
Verify that SSL inspection is applied to your policy that controls traffic to the Internet. You must also apply at least one other security profile to that policy in order to implement SSL inspection. In this example, we apply antivirus.

5. Importing the certificate into web browsers

Once your certificate is signed by FortiAuthenticator, you need to import the certificate into users’ browsers. 

The method you use for importing the certificate varies depending on the type of browser. 

Internet Explorer, Chrome, and Safari (on Windows and macOS):

Internet Explorer, Chrome, and Safari use the operating system’s certificate store for Internet browsing. If users will be using these browsers, you must install the certificate into the certificate store for the OS.

If you are using Windows 7/8/10, double-click the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard.

Use the wizard to install the certificate into the Trusted Root Certificate Authorities store. If a security warning appears, select Yes to install the certificate.

If you are using macOS, double-click the certificate file to launch Keychain Access.

Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.

Firefox (on Windows and macOS)

Firefox has its own certificate store. To avoid errors in Firefox, the certificate must be installed in this store, rather than in the OS.

If users are using Firefox, instead of being pushed to all of their devices, the certificate must be installed on each device.

In Firefox, go to Options > Privacy & Security (Windows) or Preferences > Privacy & Security (macOS).

Scroll down to the Certificates section. Select View Certificates, select the Authorities list. Import the certificate and set it to be trusted for website identification.

 

6. Results 

Before you install the certificate, an error message appears in users’ browsers when they access a site that uses HTTPS (this example shows an error message in Firefox).

After you install the certificate, users shouldn’t experience a certificate security issue when they browse to sites that the FortiGate performs SSL content inspection on.

 

Users can view information about the connection and the certificate that’s used.

When users view information about the connection, they’ll see that it’s verified by Fortinet.

When users view the certificate in the browser, they will see which certificate is used and information about that certificate.

For further reading, check out SSL/SSH Inspection in the FortiOS 6.0 Handbook and Why you should use SSL inspection and Certificate authorities in the FortiAuthenticator 5.3 Online Help.

Judith Haney

Judith Haney

Technical Writer at Fortinet
Judith Haney is a Technical Writer on the FortiOS technical documentation team. She graduated with honours from Algonquin College's Technical Writer program in September 2014. In a previous lifetime, Judith earned degrees in Mathematics (B.S.) and French literature (M.A.).
Judith Haney
Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin
If you have the right environment, such as the Windows Group Policy Management Console, you can push the certificate to users’ browsers using the Windows Group Policy Editor. In this case, you do not have to import the certificate into users’ browsers.