Technical Tip: Issue SSL certificates with Microsoft certification Authority to be used for 'Deep packet inspection' and NTLM authentication portal

lfrancelj · ‎05-06-2020

Description

This article describes how to issue SSL certificates with Microsoft Certification Authority to be used for 'Deep packet inspection' (DPI) and NTLM authentication portal.

Related links.
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/122078/deep-inspection
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/680736/microsoft-ca-deep-packet-inspecti...

Solution
1) Go to 'System -> Certificates' and select '+Generate' which will open a 'Generate Certificate Signing Request'.
2) Create two CSRs, one will be used to issue 'Subordinate Certification Authority' certificate and the second one will be used to issue a 'Web Server' certificate.
See below examples:

CSR for 'SubCA certificate'.(make sure to specify IP address from FortiGate in IP in normal format and SAN as 'IP:10.10.10.1'):

Note: In case 'Domain Name' is used, specify same FQDN in 'Subject Alternative Name' in correct format 'DNS:FQDN' for example: 'DNS:fortigate.domain.local'

CSR for web server certificate (make sure to specify IP address from FortiGate in IP in normal format and SAN as 'IP:10.10.10.1'):

Note: In case 'Domain Name' is used, specify same FQDN in 'Subject Alternative Name' in correct format 'DNS:FQDN' for example: 'DNS:fortigate.domain.local'.

3) After creating CSRs, it will be visible in the 'Certificates' view. Select one of the CSRs created in previous step and select 'Download'. Repeat this for second CSR as well.
4) Go to 'Microsoft Enterprise Certification Authority' server on link 'http://X.X.X.X/certsrv/' or 'https://X.X.X.X/certsrv/ '(replace X.X.X.X with IP or FQDN from your MS ECA server) and sign in with administrative account.
5) Select 'Request a Certificate' and select 'advanced certificate request'.
6) Open CSR request 'SubCAwithIPandSAN' with notepad, select all text and paste it to MS ECA the 'Saved Request:' field from previous step.
The copied text must include the header and footer line, for example:
-----BEGIN CERTIFICATE REQUEST-----
MIICdzCCAV8CAQAwFDESMBAGA1UEAwwJZm9ydGkubGFiMIIBIjANBgkqhkiG9w0B
….
pQknnzlX6BRwa1JUpRK956d9KwQ6soUPDgsbCMlGDb024QckXpvExLH96ALGR06k
WKgZksoKXxRR+r5pfx430XOaJKsFjhrQWCH1f5+uw3HhmtblV/j7a3A0QwvXpo/I
x0jY/02kZcabsH0=
-----END CERTIFICATE REQUEST-----
7) Select 'Subordinate Certification Authority' in 'Certificate Template:' field and select 'Submit'.
8) Select 'Base64 encoded' and select 'Download certificate'.
9) Repeat same for 'WebWithIPandSAN' CSR as described in step 6) and select 'Web Server' under 'Certificate Template:' field and select 'Submit'.
10) Select 'Base64 encoded' and select 'Download certificate'.
11) Now that both certificates are issued, import them to FortiGate in System -> Certificates. Select 'Import' and select 'Local Certificate'.
12) Make sure 'Local Certificate' is selected and select 'Upload'. Browse to the folder where the certificates are downloaded, select the certificate and select 'Open' and 'OK' to upload certificate to FortiGate.
13) To confirm both certificates have been imported and installed successfully, similar output has be visible:

14) Configure newly created certificates to be used by FortiGate.

User authentication settings.
# config user setting
    set auth-cert "WebWithIPandSAN "
    set auth-ca-cert "SubCAwithIPandSAN"
end
Deep Inspection settings.
# config firewall ssl-ssh-profile
    edit <SOME DEEP INSPECTION PROFILE>
        set caname "SubCAwithIPandSAN"
    end
Troubleshooting.

If select the certificate 'SubCAwithIPandSAN' is not possible when configuring 'set auth-ca-cert', make sure that this certificate was published using 'Subordinate Certification Authority' certificate template.

Related Articles
Technical Note : FortiOS How to avoid 'invalid certificate' messages when using NTLM authentication
Troubleshooting Tip: Fixing the error 'Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert.'