FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fropert_FTNT
Staff
Staff
Article Id 192405
Description
FortiGate products support SSL inspection.  It is recommended for security reasons that the CA certificate used for SSL inspection should be unique per FortiGate deployment.  This has been mentioned by the Mitre Corporation in CVE-2012-4948.

Solution
Starting with FortiOS 5.2.0 a new CLI command to regenerate the default SSL inspection CA certificate has been introduced.  The following command must be executed to guarantee the uniqueness of the Fortinet_CA_SSLProxy CA certificate:

FortiGate # exec vpn certificate local generate default-ssl-ca

Once completed, it can be observed using the following commands that the default CA certificate has been regenerated:

FortiGate # config vpn certificate local
FortiGate (local) # edit Fortinet_CA_SSLProxy
FortiGate (Fortinet_CA_SSLProxy) # get

name                : Fortinet_CA_SSLProxy
password            : *
comments            : This is the default CA certificate the SSL Inspection will use when generating new server certificates.
private-key         :
certificate         :
    Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FortiGate CA, emailAddress = support@fortinet.com
    Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FortiGate CA, emailAddress = support@fortinet.com
    Valid from:  2015-03-24 10:18:33  GMT
    Valid to:    2025-03-24 10:18:33  GMT
    Fingerprint: 24:4B:2E:A4:DA:3C:5B:D8:85:56:38:BA:29:BC:D2:94
    Root CA:     Yes
    Version:     3
    Serial Num:
        6a:e1:0c:59:34:a7:c2:8f
    Extensions:
        Name:     X509v3 Basic Constraints
        Critical: no
        Content:
        CA:TRUE


Another solution is to configure FortiOS to import and use the customer's own CA certificate for SSL inspection.  The configuration steps to import a CA certificate are available in the User Authentication section of the FortiOS Handbook documents in the Fortinet Document Library:

FortiOS Handbook User Authentication for FortiOS 4.0 MR3
FortiOS Handbook User Authentication for FortiOS 5.0
FortiOS Handbook Authentication for FortiOS 5.2

The selection of the appropriate CA certificate can be performed via GUI or using the following CLI commands:

FortiOS 5.2 - Multiple CA certificates could be configured - one per SSL/SSH inspection profile:

config firewall ssl-ssh-profile
  edit "web"
    set caname

  next
end


FortiOS 5.0 - Multiple CA certificates could be configured - one per proxy options profile:

config firewall deep-inspection-options
  edit "web"
    set caname

  next
end


FortiOS 4.3 - One CA certificate is used for all inspected traffic:

config firewall ssl setting
  set caname

end


The Fortinet_CA_SSLProxy certificate could be deployed in browsers to be detected as a trusted certificate authority.  It is exportable to a remote TFTP server using the following CLI command:

exec vpn certificate local export tftp Fortinet_CA_SSLProxy Fortinet_CA_SSLProxy.cer 192.168.1.1

It is also exportable from the local certificates GUI menu:

fropert_FD36374_tn_FD36374.jpg

The FortiGate CA certificate used for SSL inspection can be imported into any browser using the Fortinet_CA_SSLProxy.cer file.  Upload instructions should be available in the browser help documentation.

Contributors