IC Knowledge Base

Full (Deep) SSL Inspection - Avoid certificate errors

Preventing certificate warnings

Facebooktwittergoogle_pluslinkedin

In this recipe, you will prevent users from receiving a security certificate warning when your FortiGate applies full SSL inspection to incoming traffic.

When full SSL inspection is used, your FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the end user. This is the same process used in “man-in-the-middle” attacks, which is why a user’s device may show a security certificate warning.

For more information about SSL inspection, see Why you should use SSL inspection.

Often, when a user receives a security certificate warning, they simply select Continuewithout understanding why the error is occurring. To avoid encouraging this habit, you can  prevent the warning from appearing in the first place.

There are two methods for doing this, depending on whether you are using your FortiGate’s default certificate or using a self-signed certificate.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

Using the default certificate

All FortiGates have a default certificate that is used for full SSL inspection. This certificate is also used in the default deep-inspection profile. To prevent your users from seeing certificate warnings, you can install this certificate on your users’ devices.

If you have the right environment, you can distribute the certificate and have it installed automatically.

 

1. Generating a unique certificate

Run the following CLI command to make sure that your SSL certificate is unique to your FortiGate:

exec vpn certificate local generate default-ssl-ca

2. Downloading the certificate used for full SSL inspection

Go to Security Profiles > SSL/SSH Inspection. Use the dropdown menu in the top right corner to select deep-inspection, the profile used to apply full SSL inspection.

 

The default FortiGate certificate is listed as the CA Certificate. Select Download Certificate.

 

3. Installing the certificate on the user’s browser

Internet Explorer, Chrome, and Safari (on Windows or Mac OS):

The above browsers use the operating system’s certificate store for Internet browsing. If your users will be using these applications, you must install the certificate into the certificate store for your OS.

If you are using Windows 7/8/10, double-click on the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard.

Use the wizard to install the certificate into the Trusted Root Certificate Authorities store. If a security warning appears, select Yes to install the certificate.

 

If you are using Mac OS X, double-click on the certificate file to launch Keychain Access.

Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.

 

If you have the right environment, the certificate can be pushed to your users’ devices. However, if Firefox is used, the certificate must be installed on each individual device, using the instructions below.

Firefox (on Windows or Mac OS)

Firefox has its own certificate store. To avoid errors in Firefox, then the certificate must be installed in this store, rather than in the OS.

Go to Tools > Options > Advanced or Firefox >Preferences > Advancedand find the Certificatestab.

Select View Certificates, then select the Authorities list. Import the certificate and set it to be trusted for website identification.

 

4. Results

Before installing the certificate, an error message would appear in the browser when a site that used HTTPS was accessed (the example shows an error message appearing in Firefox).

After you install the certificate, you should not experience a certificate security issue when you browse to sites on which the FortiGate unit performs SSL content inspection.

If you view information about the connection, you will see that it is verified by Fortinet.

 

 

0 (0)
Article Rating (No Votes)
Rate this article
Attached Files
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Name
Email
Security Code Security Code
Related Articles RSS Feed
Technical Note: Error ’Unable to establish the VPN connection. The VPN server may be unreachable. (-5)’ on FortiClient with SSL VPN
Viewed 43819 times since Mon, Aug 7, 2017
FortiGate MAC host check on SSL VPN
Viewed 7483 times since Fri, Aug 31, 2018
Fortigate Phase 2 Keep Alive
Viewed 3185 times since Thu, Jul 26, 2018
Technical Note: DNS resolution not working when DNS Server configured to ’Same as Interface IP’
Viewed 9551 times since Wed, Aug 9, 2017
Fortigate SSL/TLS Handshake fails
Viewed 7729 times since Wed, Dec 6, 2017
Fortigate Hairpin NAT
Viewed 13481 times since Fri, Aug 4, 2017
How to configure DNS based FortiGuard web filtering with FortiOS v5.4
Viewed 6638 times since Wed, Aug 2, 2017
Fortigate DC Replication RPC port 135 Session-Helper
Viewed 6344 times since Wed, Dec 6, 2017
Technical Note: Custom NTP server configuration
Viewed 4296 times since Fri, Aug 11, 2017
Internet Central Limited, Innovation Centre 2, Keele Science Park, Keele, Staffordshire ST5 5NH
Registered Office: Ivy House Foundry, Hanley, Stoke-on-Trent, ST1 3NR
Registered in England: Reg No. 03079542 VAT Reg No. GB 278 923 705
Contact Us |Terms & Conditions |Legal, Privacy and Cookies
All prices exclude VAT E.&O.E © 2015 Internet Central

All trademarks and logos appearing on the site are the property of their respective owners