Microsoft CA deep packet inspection

In most production environments, you want to use a certificate issued be your own PKI for deep packet inspection (DPI).

An existing Microsoft root CA can be used to issue a subordinate CA (sub CA) certificate that is installed as a DPI certificate on the FortiGate.

Complete the following steps to create your own sub CA certificate and use it for DPI:

  1. Create a Microsoft sub CA certificate
  2. Export the certificate and private key
  3. Import the certificate and private key into the FortiGate
  4. Configure a firewall policy for DPI
  5. Verify that the sub CA certificate is being used for DPI

The FortiGate firewall uses information in the original web server certificate, then issues a new certificate signed by the Microsoft DPI certificate. The FortiGate then sends this certificate with the issuing DPI certificate to the client's web browser when the SSL session is being established.

The browser verifies that the certificate was issued by a valid CA, then looks for the issuing CA of the Microsoft DPI certificate in its loca trusted root CA store to complete the path to trusted root CA.

The Microsoft CA root certificate is normally deployed to all client PCs in the Windows domain, so the client can complete the certificate path up to a trusted root CA. The FortiGate now controls and can inspect the two HTTPS sessions: one with the external web server, and one with the client PC.

Create a Microsoft sub CA certificate

A Microsoft sub CA certificate can be created on a Microsoft CA server, or remotely using a web browser.

Creating a certificate remotely requires that the web enrollment option is configured on the Microsoft CA server. Remote certificate requests require HTTPS; requests are not allowed with HTTP.

To create a Microsoft sub CA certificate remotely:
  1. Open a web browser and go to one of the following URLs:
    • https://<FQDN-CA-server>/CertSrv
    • https://<IP-CA-server>/CertSrv.
  2. Log in to a domain administrator account that has web enrollment rights.

  3. Click Request a certificate.
  4. Click advanced certificate request.

  5. Click Create and submit a request to this CA, then click Yes in the Web Access Confirmation warning.
  6. For the Certificate Template, select Subordinate Certification Authority.
  7. Enable Mark keys as exportable.
  8. Fi