Description
This article explains how Fortinet devices interact when a self-signed certificate is requested from the device and a HTTPS request is made by a remote client requesting administrator access to the Fortinet device via a HTTP browser.
Solution
When requesting secure administrator access to a FortiGate via HTTPS, FortiGate will use the SSL protocol to ensure that all communication between the FortiGate and the web browser is secure no matter what client application is used. FortiGate will use its self-signed certificate to view the login page whenever HTTPS request is initiated by the client. Note that the self-signed certificate proposal is the default setting on the FortiGate.
This article explains how Fortinet devices interact when a self-signed certificate is requested from the device and a HTTPS request is made by a remote client requesting administrator access to the Fortinet device via a HTTP browser.
Solution
When requesting secure administrator access to a FortiGate via HTTPS, FortiGate will use the SSL protocol to ensure that all communication between the FortiGate and the web browser is secure no matter what client application is used. FortiGate will use its self-signed certificate to view the login page whenever HTTPS request is initiated by the client. Note that the self-signed certificate proposal is the default setting on the FortiGate.
The example shows an HTTPS request made via Google Chrome (similar messages are displayed when using other browsers).
The certificate is the self-signed certificate of the FortiGate (default).The HTTPS request is made with: https://10.191.19.13 (IP address will vary as per network environment).Select the Not Secure that is highlighted in above screen to see the certificate details.The issuer of the certificate is FortiGate.
The certificate is issued to FortiGate.
It also shows the validity of the certificate.
The web browser makes the following checks prior to the displaying of the above messages:
- The browser checks if the 'issuer' of the certificate is a known CA, it then proceeds to check if the certificate of this CA is stored in its local repository.
- The browser also checks whether the 'subject' field of the certificate matches the FQDN of the HTTPS request.
- The time validity of the certificate is also checked.
- If CRL/OCSP is configured in the HTTP browser, it checks whether the certificate has been revoked or not.
The HTTP browser will have already made the above checks prior to the security exception error messages being displayed; the messages are just a request to continue with the connection. By clicking on Proceed to 10.191.19.13 (unsafe), the client is informing the web browser to no longer make the above checks for this certificate proposal.To avoid the triggering of these messages, it is required to always ensure that the certificate of the CA signed by the FortiGate is stored in the browser repository.Likewise, always ensure that the FortiGate is accessed with a correct FQDN.If the security exception is confirmed, the FortiGate login page will be displayed and all the data sent to the FortiGate is encrypted using an HTTPS connection without reading of the self-signed certificate.Once the web browser has clicked on Proceed to 10.191.19.13 (unsafe), the exception prompt is not shown again.If the HTTPS client declines the certificate, then the Fortinet device does not allow the connection.
Once the credentials are entered, the client will be able to view the FortiGate dashboard. All data is secure because the user is using a secure HTTP connection (HTTPS).Related Articles
Technical Tip: How to assign a SSL certificate for remote administration of FortiGate
