AnsweredHot!Certificate inspection: untrusted certificate warning broken (5.4.5)

Author
Zac67
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/04 00:28:47
  • Status: offline
2017/08/04 01:04:01 (permalink) 5.4
0

Certificate inspection: untrusted certificate warning broken (5.4.5)

When you've activated certificate inspection or deep SSL inspection, the acceptance of the external certificate is up to the FG. When it rejects the external certificate it the page with the warning:
"This Connection is Untrusted ..."
 
You can check this e.g. on https://self-signed.badssl.com/
 
However, for this page's certificate the FG always uses a certificate signed by the factory "Fortinet Untrusted CA", regardless of what you've set up for HTTPS or SSL inspection.
 
According to support (ticket #2289811), this is not configurable. In my humble opinion, this function is broken since it urges the user to (permanently) accept a root certificate which is present - and extractable - on every Fortigate on the planet, leaving a critical vulnerability for man-in-the-middle attacks.
 
Are there any ways around this? Is this issue addressed in 5.6?
#1
bommi
Gold Member
  • Total Posts : 158
  • Scores: 14
  • Reward points: 0
  • Joined: 2016/08/03 03:42:49
  • Location: Germany
  • Status: offline
Re: Certificate inspection: untrusted certificate warning broken (5.4.5) 2017/08/04 02:58:33 (permalink) ☄ Helpfulby Zac67 2017/08/04 03:36:26
4 (1)
Hi,
 
I just checked this, but I cant change the Untrusted CA Certificate in 5.6.1.
 
Regards
bommi
#2
Zac67
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/04 00:28:47
  • Status: offline
Re: Certificate inspection: untrusted certificate warning broken (5.4.5) 2017/08/04 03:37:22 (permalink)
0
Pity - thanks for the feedback!
#3
dmcquade
Bronze Member
  • Total Posts : 57
  • Scores: 2
  • Reward points: 0
  • Joined: 2016/10/31 06:21:51
  • Status: offline
Re: Certificate inspection: untrusted certificate warning broken (5.4.5) 2017/08/09 14:49:17 (permalink)
0
The problem is you are using the default CA cert on the Fortigate. You could download this and add to your workstations as a trusted CA cert. Although named the same, it is NOT the same cert on all Fortigates.
 
I've implemented this by generating a CSR on the Fortigate and submitted it to the local network PKI to create a CA Cert using an ICA already trusted by the workstations. Import this into the Fortigate and the workstations will not receive the Untrusted Cert message.
#4
rdumitrescu
Bronze Member
  • Total Posts : 38
  • Scores: 13
  • Reward points: 0
  • Joined: 2014/12/02 08:06:13
  • Status: offline
Re: Certificate inspection: untrusted certificate warning broken (5.4.5) 2017/08/10 00:27:52 (permalink) ☼ Best Answerby Zac67 2017/09/08 07:04:39
5 (1)
Hi Zac67,
By default the firewall use an "Untrust CA" for the websites that have broken certificate. (as your example "https://self-signed.badssl.com/")

You can change that from CLI:
config firewall ssl-ssh-profile
edit "--your profile--"
set untrusted-caname "your trusted CA"
end
 
In this way you will avoid the certificate warning. (If you have installed on the PC the "trusted CA")
Still, the best practice says to warning the users when they are going to an "untrust" (faulty certficate) website.
So you should find your best compromise between usability and security.
 
Regards
Radu
#5
Zac67
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/04 00:28:47
  • Status: offline
Re: Certificate inspection: untrusted certificate warning broken (5.4.5) 2017/08/29 00:51:48 (permalink)
0
Thanks for your suggestion, Radu! "Untrusted-caname" was the keyword, now I can also find at least a cursory mention in the manual under Inspection Exemption(!) - support wasn't able to point me there.
 
Setting untrusted-caname to the (working) SSL-inspection-certificate didn't work. Now the warning page can't load any more at all (keeps connecting forever). Even an unset untrusted-caname doesn't fix this. But it's definitely the right track: Certificates in the GUI counts one reference less to the Fortinet untrusted CA cert and one more for ours. I'll investigate further.
post edited by Zac67 - 2017/08/30 01:53:37
#6
FAPM
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/25 09:44:16
  • Status: offline
Re: Certificate inspection: untrusted certificate warning broken (5.4.5) 2017/08/29 13:07:59 (permalink) ☄ Helpfulby Zac67 2017/09/01 01:00:26
0
Hi,
I am in version 5.6.2 and I have the same problem ... 
#7
Zac67
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/04 00:28:47
  • Status: offline
Re: Certificate inspection: untrusted certificate warning broken (5.4.5) 2017/09/08 07:04:21 (permalink)
0
Radu: even though the "Untrusted-caname" option didn't work right away, it did start working at some time later on. I just stumbled on a page with an incomplete certificate chain (intermediate cert missing) and wondered why I could read the FG's warning - checked the certificate and it's ours! THANK YOU!!
#8
rdumitrescu
Bronze Member
  • Total Posts : 38
  • Scores: 13
  • Reward points: 0
  • Joined: 2014/12/02 08:06:13
  • Status: offline
Re: Certificate inspection: untrusted certificate warning broken (5.4.5) 2017/09/08 07:41:08 (permalink) ☄ Helpfulby Zac67 2020/03/06 07:30:45
0
Hi Zac67 glad to hear that you managed to solve the issue.
Just after that you modified the "Untrusted-caname" it may be that your browser has the web server certificate cached, that's why it started to work later.
Cheers
Radu
 
 
#9
Zac67
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/04 00:28:47
  • Status: offline
Re: Certificate inspection: untrusted certificate warning broken (5.4.5) 2017/09/08 08:51:24 (permalink)
0
Well, I restarted Firefox (I know that deleting the cache and shift-ctrl-R don't always force a certificate reload or SSL renegotiation) and also tried a second PC - somehow the setting didn't catch right away. Possibly the FG had retained some connection data for a short while, I don't know.
 
We didn't test long, just a few minutes; I guess we should have tested a bit longer.
#10
ZANOOB
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/27 02:16:34
  • Status: offline
Re: Certificate inspection: untrusted certificate warning broken (5.4.5) 2020/03/06 06:36:42 (permalink)
0
Hi , I am having the same problem.
But it is for non responsive sites , the fortigate try to send a 504 message back to client machine.
But the client client machines are presented with Fortigate certificate and hence the warning message on clients.
 
I tried to change the untrusted-caname to a certificate that is trusted by clients (example : Digicert CA certificate).
But when i try the command
 
config firewall ssl-ssh-profile
edit "My SSL inspection"
set untrusted-caname "Digicert CA"


 
I get the error that the certificate is not in the store.
I downloaded the Digi cert CA to the certificate store in Fortigate using the import option under certificate and choose option "CA Certificate" and imported the CA certificate , but that is going under "Remote CA certificate"
 
Hence, when running the above command it gives "me entry not found in datasource" . I can only use a certificate that is inside the "Local CA certificate" store and not inside "Remote CA Certificate" store.
 
Fortigate does not allow to import a certifcate under "Local CA certificate".
 
How did you import the certificate to local CA certificate store  or how did it allow you to run this command ?
#11
Zac67
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/04 00:28:47
  • Status: offline
Re: Certificate inspection: untrusted certificate warning broken (5.4.5) 2020/03/06 07:29:55 (permalink)
0
@Zanoob
 
You need to use the untrusted-caname of a certificate that is installed on the FGT unit (including a private key) and that the clients trust. You cannot use an external, trusted certificate because without a private key, the FGT can't use it.
 
Usually, that certificate is signed with your domain CA which provides a trusted root CA certificate that is deployed to each client. For that, you generate a new local certificate and have your root CA sign the FGT's CSR.
#12
ZANOOB
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/27 02:16:34
  • Status: offline
Re: Certificate inspection: untrusted certificate warning broken (5.4.5) 2020/03/09 01:40:26 (permalink)
0
I have a pfx file (which includes the private key). For example, this is our domain cert , singed by external CA (Digicert).
 
I was able to import this file into FG , using the option "local certificate" and then choosing option PKCS#12 Certificate.We also have the password for the pfx file and this certificate is trusted by clients since it is signed by Digicert.
 
Now when i try to use the same command i get the same error , entry not found in datasource.
 
FWP-HA-01 $ config firewall ssl-ssh-profile [/code] 
FWP-HA-01 (ssl-ssh-profile) $ edit "Test Cert no-inspection"
 
FWP-HA-01 (Test Cert no-insp~ion) $ set untrusted-caname "star_domain_19_21"
entry not found in datasource
 
value parse error before 'star_domain_19_21'
Command fail. Return code -3
 
FWP-HA-01 (Test Cert no-insp~ion) $ 

 
Even if we generate a CSR and sign by a CA that the clients trust , wouldn't it be the same.
For clients, they need to have a certificate presented that they trust and FG needs to send a certificate that the client trust. So if the FG sends the certificate that is signed by an external CA (digicert) that should work i guess.
 
So here I have imported a certficate (pfx file that has certificate and key) , using the local certificate option under import. The error i keep getting is the entry not found in datasource. Did you do anything else to get the command running ?
 
 
              
post edited by ZANOOB - 2020/03/09 01:42:21
#13
Zac67
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/04 00:28:47
  • Status: offline
Re: Certificate inspection: untrusted certificate warning broken (5.4.5) 2020/03/09 02:17:41 (permalink)
0
That looks like you're trying to use a (slightly) different name in the 'set untrusted-caname' command than the one you have imported. Double check the name in the certificate list and make sure the private key was imported.
#14
ZANOOB
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/27 02:16:34
  • Status: offline
Re: Certificate inspection: untrusted certificate warning broken (5.4.5) 2020/03/11 08:38:10 (permalink)
0
The certificate i imported do have the private key and the certificate.
I checked with OpenSSL converted the PFX file that i imported to fortigate to a PEM file and double checked if it has the private key.
 
The problem is when i run the command it says or keep getting an error that "entry not found in datasource".
Like it couldn't find the certificate and i understand beacuse we are importing the certificate using local certificate option under import and import works successfully to local certificate.
 
 
However, to run this command do we need some other , option to point it to the local certificate path?
Os is it because the certificate is a  *.domain.com ?
#15
ZANOOB
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/27 02:16:34
  • Status: offline
Re: Certificate inspection: untrusted certificate warning broken (5.4.5) 2020/03/11 09:02:24 (permalink)
0
after the import of the certifcate i can only see the certificate that was already there on the fortigate , as you can see below
The issue is that it is using the Fortinet_CA_Untrusted certiciate , which is not trusted by the clients.
 
FWP-HA-01 (Hem Cert no-insp~ion) $ set untrusted-caname 
<string>    please input string value
Fortinet_CA_SSL	local
Fortinet_CA_Untrusted	local
#16
saymon
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2009/09/07 22:09:50
  • Status: offline
Re: Certificate inspection: untrusted certificate warning broken (5.4.5) 2021/01/24 20:46:17 (permalink)
0
Hi dmcquade,
coul'd you share the detail steps of your solution?
I've implemented this by generating a CSR on the Fortigate and submitted it to the local network PKI to create a CA Cert using an ICA already trusted by the workstations. Import this into the Fortigate and the workstations will not receive the Untrusted Cert message.
 
How do you perform: create CA cert using ICA? On my workstation I didn't installed any certificate, I juste have a wildcard certificate for my company.
Thanks for the answer.
 
#17
Jump to:
© 2021 APG vNext Commercial Version 5.5