Description
This article describes how to work around the untrusted certificate warning observed in the browser when visiting some HTTPS websites when FortiGate is configured in proxy mode and an SSL deep inspection profile has been enabled on a firewall policy.
This is a known issue occurring with some of the HTTPS websites that use a server certificate issued by Entrust.
Scope
Any supported version of FortiGate.
Solution
Symptoms.
When FortiGate cannot successfully authenticate the server certificate (i.e. untrusted root CA, expired, self-signed certificate) it will present the CA certificate configured via set untrusted-caname in the SSL inspection profile (default CA certificate name: Fortinet_CA_Untrusted).
In some cases, HTTPS websites using server certificates issued by Entrust will encounter an untrusted root CA warning because the specified Entrust root CA certificate in the server certificate's chain of trust is not in FortiGate's Trusted CA list (see Security Profiles -> SSL/SSH Inspection -> View Trusted CAs List).
Explanation.
The issue is that the HTTP site's server certificate was issued by an intermediate CA associated with a specific Entrust root CA certificate that has been deemed invalid because of an invalid certificate property. Since this Entrust root CA certificate is invalid, it is not trusted by all browsers.
This issue can be confirmed by using the URL of the affected HTTPS site with an online SSL checker website like SSL Labs' SSL Server Test or SSL Shopper's SSL Checker, and observing the checker's result that the certificate chain is incomplete or the certificate is not trusted in all browsers.
The solution to this issue is for the website's administrator to remove the invalid Entrust root CA certificate from the web server and replace it with a valid Entrust root CA certificate, or to call Entrust for further assistance.
On FortiGate, the workaround is to download the invalid Entrust root CA certificate from the affected website via a web browser and then adding it to FortiGate's trusted CA list.
Important Note.
This workaround should be considered a short-term fix before the web site administrator implements the solution above on their end.
The workaround is implemented as follows:
- From a workstation behind the FortiGate with SSL deep inspection enabled, visit the affected web site.
- From a web browser, download the affected web site's invalid Entrust root CA certificate as follows:
Chrome/Internet Explorer.
- From the browser, view the certificate within Windows' certificate window:
Chrome: select the lock icon to the left of the HTTPS URL, and then select 'Certificate'.
Internet Explorer: select the lock icon to the right of the Address bar, and then select 'View certificates'. - From the Certificate window, go to the Certification Path tab.
- Select the top-most certificate and click on View Certificate.
- In the second Certificate window, go to the Details tab and select 'Copy to File...'.
- Follow the Certificate Export Wizard to export the certificate to the workstation in "DER encoded binary X.509 (.CER)" format.
Firefox.
- Select the lock icon to the left of the HTTPS URL, and then select Connection secure -> More Information.
- Select the View Certificate button to the right.
- Select the Details tab in the Certificate Viewer.
- Select the top-most certificate and select 'Export...'.
- On the FortiGate, perform these steps:
- Go to System > Certificates and select Import -> CA Certificate.
- Select File, select the invalid Entrust root CA certificate downloaded from the affected site, and select 'OK'.
- Observe that the added invalid Entrust root CA certificate appears under the External CA Certificates section of the Certificates page.
Related document:
Explicit web proxy - FortiGate administration guide.
