Helpful ReplyHot!Security Certificate Questions

Author
SecurityPlus
Gold Member
  • Total Posts : 280
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
2017/10/31 09:53:59 (permalink)
0

Security Certificate Questions

Sorry for so many questions below. I am kind of a newbie concerning security certificates.
 
  1. Are purchased (CA) security certificates a good idea when doing deep packet (SSL) inspection on a FortiGate?
  2. What benefit does a purchased (CA) security certificate offer over the built in certificate?
  3. What are the benefits of a commercial certificate (CA) over a self-signed certificate?
  4. Are all purchased (CA) certificates the same and are they all compatible with the FortiGate?
  5. If a business has a website that is externally hosted and a FortiGate and they would like a security certificate to apply to both the website and the local network (FortiGate), would this involve a different certificate?
  6. Any recommendations on where to get commercial (CA) certificates?
Thanks in advance for any help folks can provide.
 

FWF30E, FG50E, FWF50E, FG60D, FWF60D, FG60E, FG80E, FG100D
FortiOS 5.2, 5.4, 5.6, and 6.0
FortiSwitch FS-224E-POE
FAP-221E, FAP-221C
#1
emnoc
Expert Member
  • Total Posts : 5252
  • Scores: 347
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: online
Re: Security Certificate Questions 2017/10/31 13:50:51 (permalink) ☄ Helpfulby SecurityPlus 2017/10/31 14:42:15
5 (1)
    Are purchased (CA) security certificates a good idea when doing deep packet (SSL) inspection on a FortiGate?
 
Typically  you use your   internal  CA and publish that certficate via a windows GPO or manual input ( non-windows devices).  read below for why it's good.
 
 

    What benefit does a purchased (CA) security certificate offer over the built in certificate?
 
Provides trust from a trusted CAchain, a big plus.
Provide life-time
Low-maint ( no need to distribute or import for the most part )
 

    What are the benefits of a commercial certificate (CA) over a self-signed certificate?
 
Provides trust from a wellknown CAchain, see above about management and import. You only need to import into the fortigate-proxyssl for inspection, a  browser will typically honor the publicCA issued cert if it's from a well-knownCA.
 
 
    Are all purchased (CA) certificates the same and are they all compatible with the FortiGate?
 
yes,  they compatible just like a self-sign. Even a CA-issued is technically "self-signed" ;) Just make sure to get a cert from a well known  CA
 
 
    If a business has a website that is externally hosted and a FortiGate and they would like a security certificate to apply to both the website and the local network (FortiGate), would this involve a different certificate?
 
A cert on a website for example,  is a SeverCert, the cert for sslproxyis a CAtrue certificate both follow x509 but the purpose is  NOT  mutually the same. So  yes you need a webserver-certificate(s) and SSLproxy certificate.

    Any recommendations on where to get commercial (CA) certificates?
 
Shop around geotrust,entrust,godaddy,etc..... Cost could be a few hundred or so dollar but they are affordable

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#2
SecurityPlus
Gold Member
  • Total Posts : 280
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
Re: Security Certificate Questions 2017/10/31 14:42:10 (permalink)
0
emnoc,
 
Thanks for the very helpful information! I sure appreciate the guidance you have provided.
 
If we wanted to protect both the hosted website and the LAN via the FortiGate, would we need to purchase two entirely separate certificate products?
 
Any idea how websites like: www.bulkregister.com, www.thesslstore.com, www.SRSPlus.com, www.namecheap.com do supplying SSL certificates?
#3
emnoc
Expert Member
  • Total Posts : 5252
  • Scores: 347
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: online
Re: Security Certificate Questions 2017/10/31 18:27:33 (permalink)
0
yes, you will need  servercertificate for the website(s) . As far as the  4 distributors, I've only use  thesslstore for  DomainValidate_crts  and they are price fair,  and for  NameCheap for  Domain_Registrations never purchase certificate from them.
 
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#4
SecurityPlus
Gold Member
  • Total Posts : 280
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
Re: Security Certificate Questions 2017/11/01 07:30:35 (permalink)
0
Just to confirm, would it require two different security certificates to to protect both the externally hosted website and the LAN?
#5
emnoc
Expert Member
  • Total Posts : 5252
  • Scores: 347
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: online
Re: Security Certificate Questions 2017/11/01 08:32:33 (permalink)
0
yes

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#6
Jirka
Gold Member
  • Total Posts : 125
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
Re: Security Certificate Questions 2017/11/01 10:47:04 (permalink)
0
guys,
can you send me a direct link to buy a recommended CA certificate that I can use for a deep packet inspection?

Thank you!

Jirka
#7
emnoc
Expert Member
  • Total Posts : 5252
  • Scores: 347
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: online
Re: Security Certificate Questions 2017/11/01 11:54:40 (permalink)
0
here
 
https://securebox.comodo.com/ssl-sniffing/ssl-inspection/
 
and  here
 
https://secure.instantssl.com/products/SSLIdASignup1a
 
but you need to start here and understand what your  doing , before you start doing ;)
 
http://cookbook.fortinet....ld-use-ssl-inspection/
 
 
 
As far as generating a CA:TRUE , CSR I like openssl .That's just my  style YMMV & one of many methods that you can use. Google search on numerous  tip tricks etc....
 
 
 
========================
#!/bin/bash
# this script is for making  CSR
#
#
DATE=`date +%s`
 
#
# seed the names in a filename == file we will read that information
#

for p in  ` cat file`;

  do
   #
  sed -e 's/baby/'$p'/g'  nwcfg.cnf >  $DATE.cnf
  #
  #
  #  if you don't want encrypted keys uses the node switch instead of passout
  #
  #
  openssl req -config $DATE.cnf -extensions v3_req  -sha256 -new -passout pass:foobar -newkey rsa:2048 -batch  -keyout  $p.key -subj "/C=US/ST=TX,/L=Austin/O=SOCPUPPETS./OU=SSL_SOCPUPPETS/CN=$p"  -out $p.csr   

  #  clean up temp  config file

    rm  $DATE.cnf;

done
 
 
and in my  cfg file you toggle the  CA:TRUE
 
===========
 
[req]
serial = 1000
days = 730
default_keyfile        = privkey.pem
distinguished_name = req_distinguished_name
req_extensions         = v3_req
prompt                 = yes



[req_distinguished_name]
C  = US
ST  = TX
L  = mydomaincity
O = MYDOMAIN
OU =  SSL_VPN_PROXY
CN =  ssl_proxy_master
emailAddress =  certificate@mydomain.com




[v3_req]
basicConstraints = CA:TRUE
keyUsage = keyEncipherment, dataEncipherment, CertSign, Digital Signature, Non Repudiation, keyAgreement
#subjectAltName = @alt_names
extendedKeyUsage = serverAuth,clientAuth



[alt_names]
 
 
 
Next,
 
depending on CA you might need to convert the cert. Again openssl is your friend or take you chances online
 
https://www.sslshopper.com/ssl-converter.html
 
Be advise, you should  speak to the SSL-CA-sales-support-staff  on  your needs and what  you trying  to do. Not all CA will sign the CSR and honor the CA:TRUE and ignore parts of the CSR.
 
If it was me,
I would generate a  SelfSign-Cert and test yours out in a ssl-inspection and then once you feel comfortable acquire a  Public-Signed CERT.
 
 
e.g  ( again using  openssl )
 
  openssl genrsa -aes256 -out mycakey.pem 4096
  openssl req -x509 -new -nodes -extensions v3_ca -key mycakey.pem -days 1024 -out mycaroot.pem -sha512
  
next, you can sign you own certificates as a  in-house-CA and do your testing for SSL_INSPECTIONS. Just import the CA  pubcertificate and  the certificate into your devices ( i.e macosx , windows, android,etc......)
 
 
YMMV but you need to search the  ssl cookbooks on fortinet site and read the thousands of  articles on SSL-inspection and MiTM.
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#8
SecurityPlus
Gold Member
  • Total Posts : 280
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
Re: Security Certificate Questions 2017/11/04 10:01:00 (permalink)
0
Emnoc,
 
Thanks for the great information and links! We started with one cookbook. As helpful as this was it is hard for one document to cover every circumstance. I will need to read further.
 
Before I read your post we purchased a commercial certificate but later learned that the certificate needs to be based on a domain name or an IP address. The network uses a domain.local domain name which I understand certificate issuers won't be able to create a certificate for. And the IP address is a dynamic IP address not a static IP address. If the IP address changes I presume that we would need to update the certificate. Can you comment on a situation where a network does not use or does not have a commercial domain registration? Can you comment on a non-static IP address situation as well?
#9
SecurityPlus
Gold Member
  • Total Posts : 280
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
Re: Security Certificate Questions 2019/03/31 20:22:01 (permalink)
0
Curious how CA-certificates can be distritubed to permit full SSL inspection (deep-inspection) without certificate warnings. I read the following document but still have a few questions:
https://cookbook.fortinet.com/preventing-certificate-warnings-ca-cert-60
 
1. Mobile devices like smart phones and tablets will deal with. I see that it is necessary to install the certificate on Windows and Mac computers for the Internet Explorer, Chrome, Safari, and Firefox browser. What about users on smart phones and tablets running the IOS or Android OS?
 
2. Can certificates be distributed via Group Policy for domain joined Windows computers using Internet Explorer, Chrome, Safari, and Firefox browsers?
 
3. Also, is there any easy way to distribute certificates to Mac computers?
 
Thanks!

FWF30E, FG50E, FWF50E, FG60D, FWF60D, FG60E, FG80E, FG100D
FortiOS 5.2, 5.4, 5.6, and 6.0
FortiSwitch FS-224E-POE
FAP-221E, FAP-221C
#10
SecurityPlus
Gold Member
  • Total Posts : 280
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
Re: Security Certificate Questions 2019/04/26 22:03:43 (permalink)
0
Any feedback on the most recent questions?

Thanks

FWF30E, FG50E, FWF50E, FG60D, FWF60D, FG60E, FG80E, FG100D
FortiOS 5.2, 5.4, 5.6, and 6.0
FortiSwitch FS-224E-POE
FAP-221E, FAP-221C
#11
sw2090
Gold Member
  • Total Posts : 397
  • Scores: 21
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: online
Re: Security Certificate Questions 2019/04/28 23:26:05 (permalink)
0
Addtiionally: for deep inspection you need a certificate that is able to sign new certs because deep inspection is somewhat man-in-the-middle. Your FGT will not accept a standard ssl server certs for this...
#12
boneyard
Gold Member
  • Total Posts : 158
  • Scores: 8
  • Reward points: 0
  • Joined: 2014/07/30 11:15:18
  • Status: offline
Re: Security Certificate Questions 2019/05/13 06:14:26 (permalink)
0
SecurityPlus are you in control of those devices? if you are then you might have a MDM (mobile device management) solution which you can use to distribute these CA certificates to your phones and tablets.
 
if you don't control the devices there isn't an easy solution. this is something more people run into with SSL inspection so perhaps some googling will get you tools or software that can handle this.
 
in general you can't buy SSL CA certificates for inspection. if you could then you would break the whole principle SSL certificates are based on.
#13
sw2090
Gold Member
  • Total Posts : 397
  • Scores: 21
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: online
Re: Security Certificate Questions 2019/05/14 23:55:46 (permalink)
0
yes you cannot buy a CA but you can buy a sub-ca ...
#14
boneyard
Gold Member
  • Total Posts : 158
  • Scores: 8
  • Reward points: 0
  • Joined: 2014/07/30 11:15:18
  • Status: offline
Re: Security Certificate Questions 2019/05/15 00:07:11 (permalink)
0
show me where i can buy a public sub CA certificate please?
#15
Jump to:
© 2019 APG vNext Commercial Version 5.5