Hot!HTTPS and replacement messages

Author
Wurstsalat
New Member
  • Total Posts : 14
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/18 01:05:35
  • Status: offline
2017/12/29 05:56:22 (permalink)
0

HTTPS and replacement messages

Hi there,
we are currently running FortiOS 5.6.2
So it works so far except one thing, when we try to browse an unknown address such as https://12351.heise.de we get certificate warning because it uses factory default ca certificate to generate the certificate for the replacement message site...our clients reach the Internet through explicit proxy
 
So we checked our ssl/tls inspection profiles, all profiles except the factory defaults use CA certificates which are trusted by our Clients and it works for all sites which are reachable. So far we dont see where else we can configure this behaviour?
 
The factory default profiles cant be changed to a trusted cert, in CLI we get
"Cannot modify the read-only factory default profiles!
object set operator error, -657 discard the setting
Command fail. Return code -657"
 
So how we can configure fortigate issues the certificate for unkown sites/ip`s with our own CA certificate?
 
Hope someone can help
post edited by Wurstsalat - 2017/12/29 06:36:15
#1

2 Replies Related Threads

    Wurstsalat
    New Member
    • Total Posts : 14
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/10/18 01:05:35
    • Status: offline
    Re: HTTPS and replacement messages 2018/01/07 22:11:16 (permalink)
    0
    no one any idea on this?
    #2
    oheigl
    Gold Member
    • Total Posts : 253
    • Scores: 8
    • Reward points: 0
    • Joined: 2010/02/18 04:27:05
    • Location: Austria
    • Status: offline
    Re: HTTPS and replacement messages 2018/01/08 01:43:26 (permalink)
    0
    You don't use any factory default SSL/TLS profiles? Did you check the settings in the CLI? There is one certificate which can't be set via the web interface:
     
    set caname "Fortinet_CA_SSL"
    set untrusted-caname "Fortinet_CA_Untrusted"
     
    Check if these are not the default ones but your own certificates.
    #3
    Jump to:
    © 2018 APG vNext Commercial Version 5.5