Description
Solution
Starting with FortiCache 3.0.4 a new CLI command to regenerate the default SSL inspection CA certificate has been introduced. The following command must be executed to guarantee the uniqueness of the Fortinet_CA_SSLProxy CA certificate:
FortiCache # exec vpn certificate local generate default-ssl-ca
Once completed, it can be observed using the following commands that the default CA certificate has been regenerated:
FortiCache # config vpn certificate local
FortiCache (local) # edit Fortinet_CA_SSLProxy
FortiCache (Fortinet_CA_SSLProxy) # get
name : Fortinet_CA_SSLProxy
password : *
private-key : *
certificate :
Subject: C = U S, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FortiGate CA, emailAddress = support@fortinet.com
Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FortiGate CA, emailAddress = support@fortinet.com
Valid from: 2015-06-16 12:26:20 GMT
Valid to: 2025-06-16 12:26:20 GMT
Fingerprint: 32:AC:D7:E2:9E:66:A4:A6:BE:85:0C:20:D0:A9:1E:EB
Root CA: Yes
Version: 3
Serial Num:
3c:53:66:6f:87:4e:8f:76
Extensions:
Name: X509v3 Basic Constraints
Critical: no
Content:
CA:TRUE
Another solution is to configure FortiCache to import and use the customer's own CA certificate for SSL inspection. The configuration steps to import a CA certificate are available in the FortiCache administration guide in the Fortinet Document Library:
•FortiCache 3.0 Administration Guide
The selection of the appropriate CA certificate can be performed via GUI or using the following CLI commands:
Multiple CA certificates could be configured - one per deep inspection profile:
config firewall deep-inspection-options
edit "web"
set caname
next
end
The Fortinet_CA_SSLProxy certificate could be deployed in browsers to be detected as a trusted certificate authority. It is exportable to a remote TFTP server using the following CLI command:
exec vpn certificate local export tftp Fortinet_CA_SSLProxy Fortinet_CA_SSLProxy.cer 192.168.1.1
It is also exportable from the local certificates GUI menu:
The FortiCache CA certificate used for SSL inspection can be
imported into any browser using the Fortinet_CA_SSLProxy.cer
file. Upload instructions should be available in the browser
help documentation.
FortiCache product support SSL inspection. It is recommended
for security reasons that the CA certificate used for SSL
inspection should be unique per FortiCache deployment. This
has been mentioned by the Mitre Corporation in CVE-2012-4948.
Solution
Starting with FortiCache 3.0.4 a new CLI command to regenerate the default SSL inspection CA certificate has been introduced. The following command must be executed to guarantee the uniqueness of the Fortinet_CA_SSLProxy CA certificate:
FortiCache # exec vpn certificate local generate default-ssl-ca
Once completed, it can be observed using the following commands that the default CA certificate has been regenerated:
FortiCache # config vpn certificate local
FortiCache (local) # edit Fortinet_CA_SSLProxy
FortiCache (Fortinet_CA_SSLProxy) # get
name : Fortinet_CA_SSLProxy
password : *
private-key : *
certificate :
Subject: C = U S, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FortiGate CA, emailAddress = support@fortinet.com
Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FortiGate CA, emailAddress = support@fortinet.com
Valid from: 2015-06-16 12:26:20 GMT
Valid to: 2025-06-16 12:26:20 GMT
Fingerprint: 32:AC:D7:E2:9E:66:A4:A6:BE:85:0C:20:D0:A9:1E:EB
Root CA: Yes
Version: 3
Serial Num:
3c:53:66:6f:87:4e:8f:76
Extensions:
Name: X509v3 Basic Constraints
Critical: no
Content:
CA:TRUE
Another solution is to configure FortiCache to import and use the customer's own CA certificate for SSL inspection. The configuration steps to import a CA certificate are available in the FortiCache administration guide in the Fortinet Document Library:
•FortiCache 3.0 Administration Guide
The selection of the appropriate CA certificate can be performed via GUI or using the following CLI commands:
Multiple CA certificates could be configured - one per deep inspection profile:
config firewall deep-inspection-options
edit "web"
set caname
next
end
The Fortinet_CA_SSLProxy certificate could be deployed in browsers to be detected as a trusted certificate authority. It is exportable to a remote TFTP server using the following CLI command:
exec vpn certificate local export tftp Fortinet_CA_SSLProxy Fortinet_CA_SSLProxy.cer 192.168.1.1
It is also exportable from the local certificates GUI menu:
