Fortinet white logo
Fortinet white logo

Cookbook

FortiAuthenticator certificate with SSL inspection using an HSM

FortiAuthenticator certificate with SSL inspection using an HSM

For this recipe, you will create a certificate on the FortiGate, have it signed on a FortiAuthenticator with a configured HSM server, and configure the FortiGate so that the certificate can be used for SSL deep inspection of HTTPS traffic. This example uses the Safenet Luna V7 HSM.

To set up the certificate with SSL inspection using an HSM:
  1. Configuring the NetHSM profile on FortiAuthenticator
  2. Creating a local CA certificate using an HSM server
  3. Creating a CSR on the FortiGate
  4. Creating an Intermediate CA on the FortiAuthenticator
  5. Importing the signed certificate on the FortiGate
  6. Configuring full SSL inspection
  7. Results

In order for this configuration to work correctly, the FortiAuthenticator must be configured as a certificate authority (CA), otherwise the certificate created in this recipe will not be trusted. For more information on how to do this, see Creating a local CA certificate using an HSM server and FortiAuthenticator as a Certificate Authority.

As an example, you will also have Application Control with Deep Inspection of Cloud Applications enabled. This will apply inspection to HTTPS traffic. Note that you may use another security profile instead of Application Control.

FortiAuthenticator certificate with SSL inspection using an HSM

FortiAuthenticator certificate with SSL inspection using an HSM

For this recipe, you will create a certificate on the FortiGate, have it signed on a FortiAuthenticator with a configured HSM server, and configure the FortiGate so that the certificate can be used for SSL deep inspection of HTTPS traffic. This example uses the Safenet Luna V7 HSM.

To set up the certificate with SSL inspection using an HSM:
  1. Configuring the NetHSM profile on FortiAuthenticator
  2. Creating a local CA certificate using an HSM server
  3. Creating a CSR on the FortiGate
  4. Creating an Intermediate CA on the FortiAuthenticator
  5. Importing the signed certificate on the FortiGate
  6. Configuring full SSL inspection
  7. Results

In order for this configuration to work correctly, the FortiAuthenticator must be configured as a certificate authority (CA), otherwise the certificate created in this recipe will not be trusted. For more information on how to do this, see Creating a local CA certificate using an HSM server and FortiAuthenticator as a Certificate Authority.

As an example, you will also have Application Control with Deep Inspection of Cloud Applications enabled. This will apply inspection to HTTPS traffic. Note that you may use another security profile instead of Application Control.