Description
This article describes how to add a new certificate to SSL/SSH inspection profile.
If it is impossible to select the certificate in the SSL/SSH inspection, it can be for two reasons:
- Either the certificate is not imported in the correct way.
- Or the certificate is not CA=True as this is the requirement for Certificate inspection.
Solution
To import the certificate go to System -> Certificate -> Import -> Local certificate.
Then select certificate if having a separate public and private key, or select PKCS12 if having a '.pfx' bundle.
Then go to System -> Certificate and check if CA=True is there or not.
- FortiGate must act as a CA in order for it to perform full SSL inspection. The internal CA must generate an SSL private key and certificate each time an internal user connects to an external SSL server.
- FortiGate acts as a proxy web server. In order for FortiGate to act in these roles, its CA
The certificate must have the basic constraints extension set to CA=True and the value of the keyUsage extension set to keyCertSign.
- The CA=True value identifies the certificate as a CA certificate. The keyUsage=keyCertSign value indicates that the certificate corresponding private key is permitted to sign certificates.
- If the connection request is outbound, select the option 'Multiple Clients Connecting to Multiple Servers'. Then, it is necessary to select the CA certificate that will be used to sign the new certificates.
- On the FortiGate GUI, select Security Profiles -> SSL/SSH Inspection.
- Select Create New to create a new SSL/SSH inspection profile.
- Select Multiple Clients Connecting to Multiple Servers, and select SSL Certificate Inspection.
Related documents:
Technical Tip: How to import an SSL certificate as a local certificate
Import a certificate
Technical Tip: Installing Private CA for Deep inspection
