FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Kenichi_Terashita_FT
Article Id 189765

Description
This articles describes the certificate signing process when the FortiGate is configured for SSL inspection.
For additional details about SSL inspection, please consult the "UTM Guide FortiOS™ Handbook"
Please find the Japanese version in the attachment.
.

Introduction

When a client accesses an SSL server through a FortiGate which has CP6 and is SSL Inspection (Deep scan) enabled, the FortiGate proxies the SSL connection between the client and the server.

The FortiGate receives the Original Server Certificate from the server, and will then sign it with its CA Certificate (Fortinet_CA or another). The Issuer of the Signed Server Certificate will be changed at this time. Finally the client will receive the Signed Server Certificate from FortiGate.

The diagram below illustrates this process.

kterashita_ssl_inspection.jpg


The Certificates example below show the changes operated by the FortiGate :

1- Original Server Certificate (example we would get from an SSL server https://support.oventechnologiesinc.com)

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1208893255 (0x480e3f47)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Entrust, Inc., OU=AND ADDITIONAL TERMS GOVERNING USE AND RELIANCE, OU=CPS CONTAINS IMPORTANT LIMITATIONS OF WARRANTIES AND LIABILITY, OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2008 Entrust, Inc., CN=Entrust Certification Authority - L1B
        Validity
            Not Before: Nov 26 20:51:26 2009 GMT
            Not After : Nov 23 21:17:27 2012 GMT
        Subject: C=CA, ST=Alberta , L=Edmonton, O=Oven Technologies Canada Inc., OU=Customer Support, CN=support.oventechnologiesinc.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALS



Certificate Signed Server Certificate signed by the FortiGate itself and sent to the Client :


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4c:24:30:7e:00:00:00:00
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=FortiGate CA/emailAddress=support@fortinet.com
        Validity
            Not Before: Nov 26 20:51:26 2009 GMT
            Not After : Nov 23 21:17:27 2012 GMT
        Subject: C=CA, ST=Alberta , L=Edmonton, O=Oven Technologies Canada Inc., OU=Customer Support, CN=support.oventechnologiesinc.com

* This Issuer was changed by FortiGate.


...or an example where  the FortiGate sends a self-signed CA certificate (Issuer and Subject are same) with the built-in Fortinet_CA :

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support/emailAddress=support@fortinet.com
        Validity
            Not Before: Apr  9 01:25:49 2000 GMT
            Not After : May 24 01:25:49 2020 GMT
        Subject: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support/emailAddress=support@fortinet.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE




Verifying the Original Server Certificate


When the FortiGate receives the Original Server Certificate from SSL server, it verifies :
- the expiry date ;  if the certificate is expired it is consider as invalid certificate and the SSL session will fail.
- if the CN (Common Name) and the site name (URL) are the same ; a mismatch will consider the certificate as invalid but the SSL session won't fail. 

If the FortiGate should ignore invalid certificates, enable allow-invalid-server-cert option under :

config firewall profile-protocol-options
      edit <name_str>
           config https  (or imaps or pop3s)
           set options allow-invalid-server-cert
           ...
    end
end





Scope
FortiOS 4.0 and above

Solution

Related Articles

Technical Tip: How to enable Deep Content Inspection

Technical Note : Importing the FortiGate SSL Proxy certificate in Internet Explorer 8 (IE8) for decr...

Technical Tip : SSL Inspection fails when FortiGate verifies the server certificate by its CA certif...

Troubleshooting Tip : Verifying server certificate on SSL Inspection

Contributors