Installing a certificate for deep inspection mode

When users forward traffic to FortiSASE using agent-based mode, agentless secure web gateway (SWG) mode, or using an edge device, FortiSASE proxies traffic from the client. While being proxied, connections using secure protocols like HTTPS have their certificates replaced and signed by FortiSASE. To avoid seeing warnings and errors, the client must trust the signing certificate authority (CA) and have a valid certificate chain back to the root CA. Therefore, installing FortiSASE’s CA certificate on the client’s trusted certificate store is important.

With deep inspection enabled, FortiSASE supports automatically installing the FortiSASE CA certificate for agent-based users with FortiClient installed on their endpoints. Therefore, the following instructions are not required for agent-based users.

You must install the FortiSASE CA certificate on endpoints for agentless SWG users and site-based edge device users using the following instructions.

The following instructions demonstrate installing certificates on various operating systems:

• Windows
• macOS
• Chrome OS
• Managed Chromebook

First, you must download the CA certificate from FortiSASE prior to manually installing it on your endpoints.

To download the FortiSASE CA certificate:

1. Go to Configuration > Security and select the Profile Group using the dropdown list at the top-right.
2. In the Profiles tab click Configure SSL.
3. Ensure Deep inspection is selected for Inspection method.
4. For CA certificate, select the certificate from the dropdown list. Typically, the default Fortinet_CA_SSL certificate can be used.
5. Click Download next to the dropdown list and save the CA certificate to your local computer. You use this CA certificate in one of the following sets of instructions.

Windows

To install the FortiSASE CA certificate on a Windows 10 device:

1. Double-click the FortiSASE certificate that the administrator provided during onboarding.
2. On the General tab, click Install Certificate.
3. You can install the certificate for the current user or local machine. Installing for the local machine requires administrator permissions. Select the desired option and click Next.
4. Choose where you want the certificate to be kept. To customize this, select Place all certificates in the following store and browse the store. Then select Trusted Root Certification Authorities. Click Next.
5. Review and click Finish to install the certificate.
6. You can upload and distribute CA certificates using a group policy on multiple Windows devices that are part of an Active Directory. See Distribute certificates to Windows devices by using Group Policy.

macOS

To properly browse any HTTPS websites, you must install the FortiSASE root certificate on the endpoint.

To upload the FortiSASE CA certificate on a mac:

1. Double-click the FortiSASE certificate that the administrator provided during onboarding.
2. From the Keychain dropdown list, select System, then click Add.
3. When you view the certificate, the root certificate appears as not trusted. Expand the Trust section. From the When using this certificate dropdown list, select Always Trust.

   

4. Save the configuration and add the certificate to the system keychain. You can connect to HTTPS websites without seeing a warning.

Chrome OS

To upload the FortiSASE CA certificate on a Chromebook:

1. In Chrome, open Settings from the menu or go to chrome://settings.
2. Go to Privacy and security. On the configuration page, click Security.
3. In the Security settings page, scroll to the bottom to find Advanced > Manage certificates. Click the right arrow.
4. In the Manage certificate page, select Authorities.
5. Click Import to import the FortiSASE certificate authority (CA) certificate.
6. If the Fortinet_CA_SSL.cer file does not appear, change the file selection page to show all files. Then select the Fortinet_CA_SSL.cer cert and click open.
7. The next screen asks for your trust settings for this certificate. Select all options, then click OK.

   

8. You have imported the FortiSASE CA certificate. Scroll down to see the org-Fortinet entry. Expand to see the certificate and view its details.

Managed Chromebook

If your organization manages Chromebooks using the Google Admin console, you can centrally install the FortiSASE certificate authority certificate on the Admin console and distribute it to each managed Chromebook.

To upload the FortiSASE CA certificate on Google Admin Console:

1. On the Google Admin console, go to Device > Networks.
2. Select the organizational unit in which to apply these settings.
3. Under Certificates, click Create Certificate.
4. Enter a name for this certificate entry, then click Upload to upload the Fortinet_CA_SSL.cer certificate.
5. Under Certificate Authority, select Chromebook. Click ADD.

   

To verify the CA certificate is installed on a Chromebook:

1. In Chrome, open Settings from the menu or go to chrome://settings.
2. Go to Privacy and security. On the configuration page, click Security.
3. In the Security settings page, scroll to the bottom to find Advanced > Manage certificates. Click the right arrow.
4. In the Manage certificate page, select Authorities.
5. Scroll down to the org-Fortinet entry. Expand this entry. You see the certificate and an icon indicating that Google Admin console is managing it.