In this recipe, you will prevent users from receiving a security certificate warning when your FortiGate performs full SSL inspection on incoming traffic. There are several methods for doing this, depending on whether you are using your FortiGate’s default certificate, a self-signed certificate, or a CA-signed certificate. This recipe explains how you can prevent certificate warnings when you are using your FortiGate’s default certificate.
When full SSL inspection is used, your FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the end user. This is the same process used in “man-in-the-middle” attacks, which is why a user’s device may show a security certificate warning.
For more information about SSL inspection, see Why you should use SSL inspection.
Often, when users receive security certificate warnings, they simply select Continue without understanding why the error is occurring. To avoid encouraging this habit, you can prevent the warning from appearing in the first place.
Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6
Using the default certificateAll FortiGates have a default certificate that is used for full SSL inspection. This certificate is also used in the default deep-inspection profile. To prevent users from seeing certificate warnings, you can install this certificate on users’ devices. |
|
1. Generating a unique certificateRun the following CLI command to generate an SSL certificate that is unique to your FortiGate: exec vpn certificate local generate default-ssl-ca
|
|
2. Downloading the certificate used for full SSL inspection |
|
|
Go to Security Profiles > SSL/SSH Inspection. Use the drop-down menu in the top right corner to select deep-inspection, which is the profile used to apply full SSL inspection. |
 |
| The default FortiGate certificate is listed as the CA Certificate. Select Download Certificate. |  |
3. Importing the certificate into web browsers |
|
|
Once you have your FortiGate’s default certificate, you need to import the certificate into users’ browsers. The method you use for importing the certificate varies depending on the type of browser. |
|
Internet Explorer, Chrome, and Safari (Windows and macOS):Internet Explorer, Chrome, and Safari use the operating system’s certificate store for Internet browsing. If users will be using these browsers, you must install the certificate into the certificate store for the OS. |
|
|
If you are using Windows 7/8/10, double-click the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard. Use the wizard to install the certificate into the Trusted Root Certification Authorities store. If a security warning appears, select Yes to install the certificate. |
 |
|
If you are using macOS, double-click the certificate file to launch Keychain Access. Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change. |
 |
Firefox (Windows and macOS)Firefox has its own certificate store. To avoid errors in Firefox, you must install the certificate in this store, instead of the OS. If users are using Firefox, instead of being pushed to all of their devices, the certificate must be installed on each device. |
|
|
In Firefox, go to Tools > Options > Advanced or Options > Advanced and select the Certificates tab. Select View Certificates, select the Authorities list. Import the certificate and set it to be trusted for website identification. |
 |
4. Results |
|
|
Before you installed the certificate, an error message would appear in users’ browsers when they accessed a site that used HTTPS (this example shows an error message in Firefox). After you install the certificate, users should not experience a certificate security issue when they browse to sites on which the FortiGate unit performs SSL content inspection. |
 |
|
Users can view information about the connection and the certificate that is used. If users view information about the connection, they will see that it is verified by Fortinet. |
 |
| If users view the certificate in the browser, they will see the certificate that is used and information about that certificate. |  |
For further reading, check out SSL/SSH Inspection in the FortiOS 5.6 Handbook.
The post Preventing certificate warnings (default certificate) appeared first on Fortinet Cookbook.