Using a self-signed certificate

In this method, you create a self-signed certificate using OpenSSL. You then install this certificate on the FortiGate for use with SSL inspection. In this recipe, OpenSSL for Windows version 1.1.0f is used.

1. Creating a certificate with OpenSSL

If necessary, download and install Open SSL. Make sure that the openssl.cnf file is located in the BIN folder for OpenSSL.

Using Command Prompt (CMD), navigate to the BIN folder (in this example, the command is cd c:\OpenSSL-Win64\bin).

Generate an RSA key with the following command:

openssl genrsa -aes256 -out fgcaprivkey.pem 2048 -config openssl cnf

This RSA key uses AES-256 encryption and a 2048-bit key.

When prompted, enter a passphrase for encrypting the private key.

Use the following command to launch OpenSSL, submit a new certificate request, and sign the request:

openssl req -new -x509 -days 3650 -extensions v3_ca -key fgcaprivkey.pem -out fgcacert.pem -config openssl.cnf

The result is a standard x509 binary certificate that is valid for 3650 days (approximately 10 years)

When prompted, re-enter the passphrase for encryption, then enter the details required for the certificate request, such as location and organization name.

Two new files are created: a public certificate (fgcacert.pem) and a private key (fgcaprivkey.pem).

2. Importing the self-signed certificate

Go to System > Certificates and select Import > Local Certificate.

Set Type to Certificate, then select your Certificate file and Key file. Enter the Password used to create the certificate.

3. Editing the SSL inspection profile

Set CA Certificate to use the new certificate.

Select Download Certificate, to download the certificate file needed in the next step.

4. Importing the certificate into web browsers

Once you have your self-signed certificate, you need to import the certificate into users’ browsers.

The method you use for importing the certificate varies depending on the type of browser.

Internet Explorer, Chrome, and Safari (Windows and macOS):

Internet Explorer, Chrome, and Safari use the operating system’s certificate store for Internet browsing. If users will be using these browsers, you must install the certificate into the certificate store for the OS.

If you are using Windows 7/8/10, double-click the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard.

Use the wizard to install the certificate into the Trusted Root Certification Authorities store. If a security warning appears, select Yes to install the certificate.

If you are using macOS, double-click the certificate file to launch Keychain Access.

Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.

Firefox (Windows and macOS)

Firefox has its own certificate store. To avoid errors in Firefox, the certificate must be installed in this store, instead of the OS.

If users are using Firefox, instead of being pushed to all of their devices, the certificate must be installed on each device.

In Firefox, go to Tools > Options > Advanced or Options > Advanced and select the Certificates tab.

Select View Certificates, then select the Authorities list. Import the certificate and set it to be trusted for website identification.

5. Results

Before you installed the certificate, an error message would appear in users’ browsers when they accessed a site that used HTTPS (this example shows an error message in Firefox).

After you install the certificate, users should not experience a certificate security issue when they browse to sites on which the FortiGate unit performs SSL content inspection.

Users can view information about the connection and the certificate that is used.

If users view information about the connection, they will see that it is verified by Fortinet.