Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Examples

    7.6.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Configuring FortiManager to deploy certificates for deep inspection

    Configuring FortiManager to deploy certificates for deep inspection

    FortiManager can be used to deploy certificates to FortiGate devices. These certificates can include Certificate Authority (CA) certificates, commonly used for deep inspection.

    The steps for deploying a CA certificate for deep inspection are as follows:

    1. Generate a CA certificate on FortiAuthenticator

    2. Generate an intermediate CA certificate

    3. Upload the intermediate CA certificate to FortiManager

    4. Use the certificate in a policy and install the Policy Package

    5. Verify on an endpoint

    Generate a CA certificate on FortiAuthenticator

    To generate a CA certificate on FortiAuthenticator:

    1. On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs, and select +Create New.

    2. Specify a Certificate ID, leave the Certificate type as Root CA, and specify a Name (CN).

    3. You may provide additional fields as desired.

    4. Select OK.

    Generate an intermediate CA certificate

    To generate an intermediate CA certificate:

    1. From Certificate Management > Certificate Authorities > Local CAs, and select +Create New.

    2. Provide a name for the certificate as Certificate ID.

    3. For Certificate type, select Intermediate CA.

    4. Use the dropdown for Certificate authority to select the certificate created in the previous step.

    5. For CN, provide a name for the intermediate CA certificate.

    6. Click OK to save.

    7. Use the checkbox to select the generated intermediate CA certificate, then click Export Key and Cert in the top navigation bar.

    8. Provide a passphrase to secure the private key.

    9. Select Download PKCS#12 file, then select Finish.

    Upload the intermediate CA certificate to FortiManager

    To upload the intermediate CA certificate to FortiManager:

    1. Navigate to Policy & Objects > Advanced.

    2. From the top menu bar, select Tools > Feature Visibility.

    3. Under Advanced, enable Dynamic Local Certificate.

    4. Select Dynamic Local Certificate from the top.

    5. Select +Create New in the top left.

    6. Specify a name for the certificate.

    7. Expand Per-Device Mapping and select Create New to create a new mapping.

    8. Select the target FortiGate for Mapped device.

    9. Select Import next to Import Certificate.

    10. Select PKCS#12 Certificate for Type.

    11. Upload the file by browsing or drag-and-dropping the certificate.

    12. Provide the password used to secure the private key.

    13. Specify the name for the certificate.

    14. Select OK.

      Tooltip

      If the newly uploaded certificate does not appear in the dropdown for Local Certificate, select OK, then select the mapped device and edit once more.

    15. Use the Local Certificate dropdown to select the newly uploaded certificate.

    16. Select OK to save the per-device mapping.

    17. Provide a change note and select OK to save the dynamic local certificate.

    Use the certificate in a policy and install the Policy Package

    To update SSL/SSH inspection to use the uploaded certificate:

    1. Navigate to Policy & Objects > Security Profiles, and select SSL/SSH Inspection from the top menu.

    2. Edit custom-deep-inspection.

    3. For CA Certificate, use the dropdown to select the uploaded intermediate CA certificate.

    4. Provide a change note and select OK to save.

    5. Use this security profile, along with a web filtering profile, in a policy assigned to the FortiGate with the certificate mapping.

    6. Install the Policy Package.

    For more information, see Deep Inspection in the FortiGate Administration Guide on the Fortinet Document Library, as you need to install this intermediate CA on endpoints/browsers to enable the certificate rewriting to be trusted.

    Verify on an endpoint

    This guide assumes the certificate used in the deep inspection profile is trusted by the endpoint.

    To verify on an endpoint:

    1. Navigate to an HTTPS site on an endpoint which would send traffic through the policy you applied the SSL/SSH custom-deep-inspection profile to.

    2. When the site loads, inspect the certificate that is being used.

      • Note how the certificate is valid.

      • Note how the Issued By section reflects the certificate you selected for your deep inspection.

    Previous
    Next

    Configuring FortiManager to deploy certificates for deep inspection

    Configuring FortiManager to deploy certificates for deep inspection

    FortiManager can be used to deploy certificates to FortiGate devices. These certificates can include Certificate Authority (CA) certificates, commonly used for deep inspection.

    The steps for deploying a CA certificate for deep inspection are as follows:

    1. Generate a CA certificate on FortiAuthenticator

    2. Generate an intermediate CA certificate

    3. Upload the intermediate CA certificate to FortiManager

    4. Use the certificate in a policy and install the Policy Package

    5. Verify on an endpoint

    Generate a CA certificate on FortiAuthenticator

    To generate a CA certificate on FortiAuthenticator:

    1. On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs, and select +Create New.

    2. Specify a Certificate ID, leave the Certificate type as Root CA, and specify a Name (CN).

    3. You may provide additional fields as desired.

    4. Select OK.

    Generate an intermediate CA certificate

    To generate an intermediate CA certificate:

    1. From Certificate Management > Certificate Authorities > Local CAs, and select +Create New.

    2. Provide a name for the certificate as Certificate ID.

    3. For Certificate type, select Intermediate CA.

    4. Use the dropdown for Certificate authority to select the certificate created in the previous step.

    5. For CN, provide a name for the intermediate CA certificate.

    6. Click OK to save.

    7. Use the checkbox to select the generated intermediate CA certificate, then click Export Key and Cert in the top navigation bar.

    8. Provide a passphrase to secure the private key.

    9. Select Download PKCS#12 file, then select Finish.

    Upload the intermediate CA certificate to FortiManager

    To upload the intermediate CA certificate to FortiManager:

    1. Navigate to Policy & Objects > Advanced.

    2. From the top menu bar, select Tools > Feature Visibility.

    3. Under Advanced, enable Dynamic Local Certificate.

    4. Select Dynamic Local Certificate from the top.

    5. Select +Create New in the top left.

    6. Specify a name for the certificate.

    7. Expand Per-Device Mapping and select Create New to create a new mapping.

    8. Select the target FortiGate for Mapped device.

    9. Select Import next to Import Certificate.

    10. Select PKCS#12 Certificate for Type.

    11. Upload the file by browsing or drag-and-dropping the certificate.

    12. Provide the password used to secure the private key.

    13. Specify the name for the certificate.

    14. Select OK.

      Tooltip

      If the newly uploaded certificate does not appear in the dropdown for Local Certificate, select OK, then select the mapped device and edit once more.

    15. Use the Local Certificate dropdown to select the newly uploaded certificate.

    16. Select OK to save the per-device mapping.

    17. Provide a change note and select OK to save the dynamic local certificate.

    Use the certificate in a policy and install the Policy Package

    To update SSL/SSH inspection to use the uploaded certificate:

    1. Navigate to Policy & Objects > Security Profiles, and select SSL/SSH Inspection from the top menu.

    2. Edit custom-deep-inspection.

    3. For CA Certificate, use the dropdown to select the uploaded intermediate CA certificate.

    4. Provide a change note and select OK to save.

    5. Use this security profile, along with a web filtering profile, in a policy assigned to the FortiGate with the certificate mapping.

    6. Install the Policy Package.

    For more information, see Deep Inspection in the FortiGate Administration Guide on the Fortinet Document Library, as you need to install this intermediate CA on endpoints/browsers to enable the certificate rewriting to be trusted.

    Verify on an endpoint

    This guide assumes the certificate used in the deep inspection profile is trusted by the endpoint.

    To verify on an endpoint:

    1. Navigate to an HTTPS site on an endpoint which would send traffic through the policy you applied the SSL/SSH custom-deep-inspection profile to.

    2. When the site loads, inspect the certificate that is being used.

      • Note how the certificate is valid.

      • Note how the Issued By section reflects the certificate you selected for your deep inspection.

    Previous
    Next