In this recipe, you prevent users from receiving a security certificate warning when your FortiGate performs full SSL inspection on incoming traffic. There are several methods for doing this, depending on whether you’re using a self-signed certificate, your FortiGate device’s default certificate, or a CA-signed certificate. This recipe explains how you can prevent certificate warnings when you use a self-signed certificate.
With full SSL inspection, your FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the end user. This is the same process used in “man-in-the-middle” attacks, which is why a user’s device may show a security certificate warning.
For more information about SSL inspection, see Why you should use SSL inspection.
Often, when users receive security certificate warnings, they simply select Continue without understanding why the error is occurring. To avoid encouraging this habit, you can prevent the warning from appearing in the first place.
Using a self-signed certificate
In this method, you create a self-signed certificate using OpenSSL. You then install this certificate on the FortiGate to use for SSL inspection. In this recipe, we use OpenSSL for Windows version 1.0.2j.
1. Creating a certificate with OpenSSL
If necessary, download and install Open SSL. Make sure that the openssl.cnf file is located in the BIN folder for OpenSSL.
Using a command prompt (CMD), navigate to the BIN folder (in this example, the command is cd c:\OpenSSL\bin).
Generate an RSA key with the following command:
openssl genrsa -aes256 -out fgcaprivkey.pem 2048 -config openssl cnf
This RSA key uses AES-256 encryption and a 2048-bit key.
When prompted, enter a passphrase for encrypting the private key.
Use the following command to launch OpenSSL, submit a new certificate request, and sign the request:
openssl req -new -x509 -days 3650 -extensions v3_ca -key fgcaprivkey.pem -out fgcacert.pem -config openssl.cnf
The result is a standard x509 binary certificate that’s valid for 3650 days (approximately 10 years).
When prompted, re-enter the passphrase for encryption, then enter the details required for the certificate request, such as location and organization name.
Two new files are created: a public certificate (fgcacert.pem) and a private key (fgcaprivkey.pem).
2. Importing the self-signed certificate
Go to System > Certificates* and select Import > Local Certificate.
Set Type to Certificate, then select your Certificate file and Key file. Enter the Password that you set when you created the certificate.
The certificate now appears in the Local CA Certificates list.
3. Editing the SSL inspection profile
To use your certificate in an SSL inspection profile go to Security Profiles > SSL/SSH Inspection. Use the drop-down menu in the top right corner to select deep-inspection, which is the profile that the FortiGate uses to apply full SSL inspection.
The deep-inspection profile is read-only. In order to use the self-signed certificate for SSL inspection, you must clone the deep-inspection profile and configure the new profile to use your certificate. To clone an existing profile, select the Clone icon (one page behind another) and enter a new name when prompted. In this example, the name of the profile is custom-deep-inspection.
Set CA Certificate to use the new certificate.
Select Download Certificate, to download the certificate file that you will import in step 5.
4. Applying SSL inspection to a policy
Before you import the certificate, verify that SSL inspection is applied to your policy that controls traffic to the Internet. You must also apply at least one other security profile to that policy in order to implement SSL inspection.
5. Importing the certificate into web browsers
Once you have your self-signed certificate, you need to import the certificate into users’ browsers.
The method you use for importing the certificate varies depending on the type of browser.
Internet Explorer, Chrome, and Safari (Windows and macOS):
Internet Explorer, Chrome, and Safari use the operating system’s certificate store for Internet browsing. If users are using these browsers, you must install the certificate into the certificate store for the OS.
If you’re using Windows 7/8/10, double-click the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard.
Use the wizard to install the certificate into the Trusted Root Certification Authorities store. If a security warning appears, select Yes to install the certificate.
If you’re using macOS, double-click the certificate file to launch Keychain Access.
Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.
Firefox (Windows and macOS)
Firefox has its own certificate store. To avoid errors in Firefox, the certificate must be installed in this store, instead of the OS.
If users are using Firefox, instead of being pushed to all of their devices, the certificate must be installed on each device.
In Firefox, go to Options > Privacy & Security (Windows) or Preferences > Privacy & Security (macOS).
Scroll down to the Certificates section. Select View Certificates, select the Authorities list. Import the certificate and set it to be trusted for website identification.
6. Results
Before you install the certificate, an error message appears in users’ browsers when they access a site that uses HTTPS (this example shows an error message in Firefox).
After you install the certificate, users shouldn’t experience a certificate security issue when they browse to sites that the FortiGate performs SSL content inspection on.
Users can view information about the connection and the certificate that’s used.
When users view information about the connection, they’ll see that it’s verified by Fortinet.
When users view the certificate in the browser, they’ll see the certificate that’s used and information about that certificate.