Preventing certificate warnings (default certificate)

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

In this recipe, you prevent users from receiving a security certificate warning when your FortiGate performs full SSL inspection on incoming traffic. There are several methods for doing this, depending on whether you’re using your FortiGate device’s default certificate, a self-signed certificate, or a CA-signed certificate. This recipe explains how you can prevent certificate warnings when you use your FortiGate device’s default certificate.

With full SSL inspection, your FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the end user. This is the same process used in “man-in-the-middle” attacks, which is why a user’s device may show a security certificate warning.

For more information about SSL inspection, see Why you should use SSL inspection.

Often, when users receive security certificate warnings, they simply select Continue without understanding why the error is occurring. To avoid encouraging this habit, you can prevent the warning from appearing in the first place.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6 | 6.0

Using the default certificate

All FortiGate devices have a default certificate that’s used for full SSL inspection. This certificate is also used in the default deep-inspection profile. To prevent users from seeing certificate warnings, you can install this certificate on users’ devices.

1. Generating a unique certificate

Run the following CLI command to generate an SSL certificate that’s unique to your FortiGate:

exec vpn certificate local generate default-ssl-ca

2. Downloading the certificate used for full SSL inspection

Go to Security Profiles > SSL/SSH Inspection. Use the drop-down menu in the top right corner to select deep-inspection, which is the profile used to apply full SSL inspection.

The default FortiGate certificate is listed as the CA Certificate. Select Download Certificate.

3. Applying SSL inspection to a policy

Before you import the certificate, verify that SSL inspection is applied to your policy that controls traffic to the Internet. You must also apply at least one other security profile to that policy in order to implement SSL inspection

4. Importing the certificate into web browsers 

Once you have your FortiGate device’s default certificate, you need to import the certificate into users’ browsers.

The method you use for importing the certificate varies depending on the type of browser.

Internet Explorer, Chrome, and Safari (Windows and macOS):

Internet Explorer, Chrome, and Safari use the operating system’s certificate store for Internet browsing. If users are using these browsers, you must install the certificate into the certificate store for the OS.

If you’re using Windows 7/8/10, double-click the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard.

Use the wizard to install the certificate into the Trusted Root Certification Authorities store. If a security warning appears, select Yes to install the certificate.

If you’re using macOS, double-click the certificate file in your downloads folder to launch Keychain Access.

Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.

Firefox (Windows and macOS)

Firefox has its own certificate store. To avoid errors in Firefox, you must install the certificate in this store, instead of the OS.

If users are using Firefox, instead of being pushed to all of their devices, the certificate must be installed on each device.

In Firefox, go to Tools > Options > Privacy & Security (Windows) or Preferences > Privacy & Security (macOS).

Scroll down to the Certificates section. Select View Certificates, select the Authorities list. Import the certificate and set it to be trusted for website identification.

4. Results 

Before you install the certificate, an error message appears in users’ browsers when they access a site that uses HTTPS (this example shows an error message in Firefox).

After you install the certificate, users shouldn’t experience a certificate security issue when they browse to sites that the FortiGate performs SSL content inspection on.

Users can view information about the connection and the certificate that’s used.

When users view information about the connection, they’ll see that it’s verified by Fortinet.

When users view the certificate in the browser, they’ll see the certificate that’s used and information about that certificate.

For further reading, check out SSL/SSH Inspection in the FortiOS 6.0 Handbook and Why you should use SSL inspection.

Judith Haney

Judith Haney

Technical Writer at Fortinet
Judith Haney is a Technical Writer on the FortiOS technical documentation team. She graduated with honours from Algonquin College's Technical Writer program in September 2014. In a previous lifetime, Judith earned degrees in Mathematics (B.S.) and French literature (M.A.).
Judith Haney
Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin
If you have the right environment, such as the Windows Group Policy Management Console, you can push the certificate to users’ browsers using the Windows Group Policy Editor. In this case, you do not have to import the certificate into users’ browsers.