Fortinet black logo

Cookbook

Preventing certificate warnings (CA-signed certificate)

Copy Link
Copy Doc ID a4a06ec3-12a7-11e9-b86b-00505692583a:26402
Download PDF

Preventing certificate warnings (CA-signed certificate)

In this recipe, you prevent users from receiving a security certificate warning when your FortiGate performs full SSL inspection on incoming traffic. There are several methods for doing this, depending on whether you're using a CA-signed certificate, as presented here, your FortiGate default certificate (see Preventing certificate warnings (default certificate), or a self-signed certification (see Preventing certificate warnings (self-signed)).

When you enable full SSL inspection, your FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the end user. This is the same process used in "man-in-the-middle" attacks, which is why a user's device may show a security certificate warning.

For more information about SSL inspection, see Why you should use SSL inspection.

Often, when users receive security certificate warnings, they simply select Continue without understanding why the error is occurring. To avoid encouraging this habit, you can prevent the warning from appearing in the first place.

Preventing certificate warnings (CA-signed certificate)

In this recipe, you prevent users from receiving a security certificate warning when your FortiGate performs full SSL inspection on incoming traffic. There are several methods for doing this, depending on whether you're using a CA-signed certificate, as presented here, your FortiGate default certificate (see Preventing certificate warnings (default certificate), or a self-signed certification (see Preventing certificate warnings (self-signed)).

When you enable full SSL inspection, your FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the end user. This is the same process used in "man-in-the-middle" attacks, which is why a user's device may show a security certificate warning.

For more information about SSL inspection, see Why you should use SSL inspection.

Often, when users receive security certificate warnings, they simply select Continue without understanding why the error is occurring. To avoid encouraging this habit, you can prevent the warning from appearing in the first place.