Quand normalement rime avec rarement !

Fortinet Fortigate - Deep inspection - Untrusted certificate issue

You have configured SSL deep inspection with your own PKi CA certificate.
Most of the time, it works as expected. The Fortigate automatically generates a certificate signed by your PKi CA certificate.
The client browser doesn't report any error.

Some time, the generated certificate is not signed by your PKi CA certificate but by the default Fortinet "Fortinet_CA_Untrusted" certificate. Of course, you have not deployed this CA certificate on your computers as it should not be used. So, you obtain a SSL error.

Why the Fortigate generates a certificate with the wrong CA? The destination certificate seems to be fine. No error reported on a browser of a computer without deep inspection.

Quick answer. The destination certificate is not trusted by the Fortigate because of missing intermediate certificates on the destination server.

To avoid this issue, you have to define your PKi CA certificate for untrusted certificate. It can be done only through Cli.

FORTIGATE # config firewall ssl-ssh-profile
FORTIGATE (ssl-ssh-profile) # edit "MyDeepInspectionProfile"
FORTIGATE (MyDeepInspectionProfile) # set untrusted-caname "MyPkiCA"
FORTIGATE (MyDeepInspectionProfile) # end

Replace "MyDeepInspectionProfile" by your custom deep inspection profile and "MyPkiCA" by your PKi CA Certificate name

Ajouter un commentaire