Helpful ReplyHot!Certificate for https traffic

Author
v20100
Bronze Member
  • Total Posts : 29
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/09/07 22:28:14
  • Status: offline
2018/04/18 20:52:21 (permalink) 5.4
0

Certificate for https traffic

Not sure it is in the correct thread.
Running on 200D 5.4.8
 
This is mainly for AV.
In order to detect viruses, we needed to add the SSL/SSH inspection and by selecting "Certificate Inspection", the firewall now detects viruses but only for non encrypted traffic.
As most of the traffic is now via https, we need to select instead "Deep Inspection"
However, all the sites now come with certificate errors.
The engineer assigned to our case, told us that we need to install the Fortigate certificate on all our workstations, which is not really possible. too many devices (windows, IOS, MAc and Android) and too many browsers
He said the alternative was to purchase a CA certificate and install it, but was not able to advise further.
 
Have many of you used that technique? I am guessing that it becomes more and more common to implement viruses/malware scanning at the gateway level, and this would be the easiest method now that 90% traffic is encrypted?
 
What CA would you recommend?
We already have a 'standard' certificate installed on the Fortigate for SSLVPN to avoid the errors.
When requesting the CA certificate, do we also use the same DNS name?
And it will not interfere with the current cert installed for SSLVPN?
 
Thanks in advance
#1
Philippe Gagne
Bronze Member
  • Total Posts : 34
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/06/25 17:55:25
  • Location: Trois-Rivieres
  • Status: offline
Re: Certificate for https traffic 2018/04/19 04:09:49 (permalink)
0
Hi,
 
I deploy really often the Deep-inspection solution. You don't need to buy a CA certificate. There is someway to archieve the goal:
 
- Have a CA Certificate in your Active Directory.
or
- Build you own CA certificate and deploy it in the GPO in the Trusted Root Certificate. That's is my prefered!
 
SSLVPN and CA are used in two different purposes. The CA certificate is used to decrypt and then re-encrypt the traffic to the destination computer. That's the reason computers have to trust this CA as a known trusted CA.1
 
To create a CA certificate, I'm using XCA, it works really fine: https://sourceforge.net/projects/xca/
 
Have a nice day.
 
Philippe
#2
MAK
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/19 04:16:30
  • Status: offline
Re: Certificate for https traffic 2018/04/19 04:28:00 (permalink)
0
Hello everyone,
 
We are doing A/V on our FortiWiFi60E running FortiGateOS 6.0. Already purchased a SSL cert from a public CA authority. However, have problem uploading it into the Certificate DB into Forti60E. The CA authority send a wildcard cert for our company along with an Intermediate CA cert. The wildcard cert loads into Forti60E Certificate DB in the Certificate top sections, while the Intermediate CA certs loads into the External CA section. However, when selecting in the policy for SSL deep inspection, only the Local CA cert Forti_CA_SSL shows in the drop down list! which is the default builtin Fortinet cert. How can we select from External CA section for the SSL deep inspection cert??? Any help would be appropriated.
 
PS We do have a local CA running, but this would require uploading local CA cert into every device, which is not desired. 
#3
ShawnZA
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/02 23:31:22
  • Status: offline
Re: Certificate for https traffic 2018/04/19 04:40:42 (permalink)
0
Create a browsing rule for yourself only, and enable the deep inspection and select the VPN cert and see if you get errors.... but if they recomend a CA cert then it might still cause issues seeing you say it's a "standard" cert.
 
CA cert will not cause issues with your VPN cert as you will not be asigning the CA cert to the VPN config...
 
We rolled out the Fortigate cert (what a mission that is) so we are using that for now, but will probably also go the CA route at some point as installing the fortigate cert on devices is becoming a mission
#4
emnoc
Expert Member
  • Total Posts : 5082
  • Scores: 311
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Certificate for https traffic 2018/04/19 07:03:48 (permalink)
0
Wait
 
Do what was said b4 build your own CA and you still need to have that certifcate installed and trusted on the client. So no matter what  you do, you ( private SelfSign or whatever ) the clients will need the certificate trusted.
 
The other option ( please don't do  this ) is to remove  certificate validation from the client, You could do this but now any  site would be valid since no validation has taken place
 
 
That would be the iequal of  curl -k for example.
 

The engineer assigned to our case, told us that we need to install the Fortigate certificate on all our workstations, which is not really possible. too many devices (windows, IOS, MAc and Android) and too many browsers

 
You have a CA certificate on the fortigate now, export that one if you don't want to  craft a new one. When support tells you these things they should explain and process.
 
http://docs-legacy.fortinet.com/fos40hlp/41/wwhelp/wwhimpl/common/html/wwhelp.htm?context=fgt&file=system_certificates.9.1.html
 
http://socpuppet.blogspot.com/2016/10/a-quick-and-sure-to-know-if-ssl.html
 
and FWIW, no  commercial CA will blindly give you a CA intermediate  certificate  under normal means. Going to   godaddy for example and buying a certificate is a "web server" certificate not a CA cert. So keep that in mind.
 
 
 
Ken
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#5
MAK
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/19 04:16:30
  • Status: offline
Re: Certificate for https traffic 2018/04/19 10:52:10 (permalink)
0
So if I understanding A/V SSL deep inspection correctly, cannot be done unless is a local CA root authority certificate? public CA authorities such as Godaddy, only give intermediate CA cert, which does not contain the private key, hence no good for A/V SSL deep inspection?? Yes or No?
 
Thanks
#6
kurtli_FTNT
Bronze Member
  • Total Posts : 49
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/03/29 15:07:50
  • Status: offline
Re: Certificate for https traffic 2018/04/19 11:03:38 (permalink)
0
Hi there, 
   If you want to "see" the content of outgoing https traffic then installing CA into clients is mandatory whatever the CA is yours or from FGT. This is because FGT now needs to do the deep-inspection with certificate re-sign. If you only need to check the Url then certificate-inspection can meet.
 
 
Thanks. 
#7
kurtli_FTNT
Bronze Member
  • Total Posts : 49
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/03/29 15:07:50
  • Status: offline
Re: Certificate for https traffic 2018/04/19 12:15:48 (permalink)
0
Hi MAK,
   If you want to use your CA to do the certificate re-sign rather than the build-in one , you have to upload both the CA and key. This is because FGT will use the 'key' + CA info to re-sign the certificates coming from outside world. And yes, the public CA authorities usually won't give you the key of intermediate CA cert because if you have that key on hand, then you can sign other certificates with it as well, which means you become a sub CA authority.  
#8
v20100
Bronze Member
  • Total Posts : 29
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/09/07 22:28:14
  • Status: offline
Re: Certificate for https traffic 2018/04/19 14:54:30 (permalink)
0
Thanks everyone
Still confused on what we can do or not!
As mentioned in the original post, we cannot deploy the certificates to clients, as we have too many device types, and many not on AD/GPO.
 
I find it strange that Fortinet does not have a built-in public certificate that should be used for this. Surely, if it says it can scan for viruses/etc on the fly, it should provide the facility out of the box!
 
It sounds it is technically difficult to implement this.
 
Kurtly_ftnt, you seem to have managed to get it going without deployment to each devices. Sorry my knowledge about 'certificate' is not that great. Can you please elaborate on the steps to upload the CA and Key?
 
Anybody has been able to get AV scanning for HTTPS traffic without deploying certificate to each devices and browsers?
 
Thanks
#9
emnoc
Expert Member
  • Total Posts : 5082
  • Scores: 311
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Certificate for https traffic 2018/04/19 15:44:38 (permalink)
5 (1)

I find it strange that Fortinet does not have a built-in public certificate that should be used for this. Surely, if it says it can scan for viruses/etc on the fly, it should provide the facility out of the box!
 

 
They ( FTNT ) has SelfSign Certificate CA type not public known. if they did what you  are asking they would have to pay big bucks to  join WEBCAB to have their CAcert trusted by all of those devices "you  need the cert on", since you don't want to distribute the cert. FTNT is not in the business as a CA.
 

It sounds it is technically difficult to implement this.
 

 
No.  it's really not that hard ;) Your understanding of the process is not clear. You injecting a MiTM  is not something done easily if you want it to work. You don't wake up and deploy a HTTPS MiTM device and  think it's going to work much like a US SPACE Program doesn't place a rocket engine on a pair of wings and think it will fly to mars ;)
 
 
You do have one more option that could be explored, and  which requires NO cert and only will work for  HTTP/HTTPS/FTP  but has other gotchas
 
If your goal is to inspect HTTPS/HTTP , defined the fortigate as explicit proxy and then you can  do all that you want with out deploying certs across devices. You will still need to publish the proxy to the clients which is the gotcha ( WPAD or PAC )
 
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#10
blackhole_route
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: Certificate for https traffic 2018/04/20 15:57:40 (permalink)
0
emnoc
You do have one more option that could be explored, and  which requires NO cert and only will work for  HTTP/HTTPS/FTP  but has other gotchas
 
If your goal is to inspect HTTPS/HTTP , defined the fortigate as explicit proxy and then you can  do all that you want with out deploying certs across devices. You will still need to publish the proxy to the clients which is the gotcha ( WPAD or PAC )
 


This is incorrect as far as I’m aware. Even in explicit proxy deployments, ssl interception with a signing certificate is still required. With explicit proxy, the FGT does have the domain being requested provided by the connect from the client. But the ssl handshake is proxied (not terminated) on the FortiGate, and therefore it is unable to inspect the http payload inside the ssl connection unless ssl deep inspection (aka ssl interception or MITM) is used.
post edited by blackhole_route - 2018/04/20 16:26:37
#11
localhost
Silver Member
  • Total Posts : 78
  • Scores: 14
  • Reward points: 0
  • Joined: 2015/05/21 02:47:51
  • Location: Zug, Switzerland
  • Status: offline
Re: Certificate for https traffic 2018/04/23 13:22:33 (permalink) ☄ Helpfulby blackhole_route 2018/04/23 13:24:24
5 (2)
I find it strange that Fortinet does not have a built-in public certificate that should be used for this. Surely, if it says it can scan for viruses/etc on the fly, it should provide the facility out of the box!

 
It's not possible to buy such public intermediate CA certificate! This would totally break SSL encryption. You'd be able to fake every SSL Website/Service worldwide.
Public intermediate CA certificates will be limited to specific domains, to which you are allowed to deploy certificates for. This is not what you need for deep ssl inspection.
 
With a private CA, you can do anything you want. Like creating your own SSL certificates for www.ubs.com, www.paypal.com, etc. 
This is exactly what the Fortigate is doing when deep ssl inspection is enabled. It's decrypting the SSL connection, and creating a new encrypted connection with its own CA certificate. It will generate a new connection, because it does not have the private key for the website or the CA it's intercepting (in my example Verisign & online.citi.com). So a 'deep inspected' SSL connection to online.citi.com is divided in two seperate connections.
 
online.citi.com <--1--> fortigate <--2--> internal computer
 
1: public trusted certificate. Signed by VeriSign Class 3 Public Primary CA
2: privately trusted ceritificate. Signed by YourFortigate
 
There is no easy way around here. If you want to open and inspect SSL connections, you have to create your own CA Certificate and deploy it or use the one which is already on the Fortigate and deploy that one.
If there is not enough knowledge to setup an own PKI, I suggest you deploy the CA certificate already on the Fortigate.
 
Btw. this is not a Fortigate/Fortinet limitation, this is just how SSL interception works.
 
Also note.. you thoroughly need to this before enabling it globaly. Because it will most likely not work with some services/application you are using right now.
#12
emnoc
Expert Member
  • Total Posts : 5082
  • Scores: 311
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Certificate for https traffic 2018/04/23 14:17:40 (permalink)
0
agreed
 
The bottomline the OP needs to  determine what certificate to use and how to deploy it to the webclient
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#13
Deepakkhw
Bronze Member
  • Total Posts : 21
  • Scores: 5
  • Reward points: 0
  • Joined: 2017/12/24 08:12:49
  • Status: offline
Re: Certificate for https traffic 2018/12/02 20:39:01 (permalink)
4.5 (2)
Hi,
Can I purchase a Certificate Authority that allows Decrypt and Scan without needing to deploy anything to clients?

No, you cannot. HTTPS is designed so that you cannot. Consider the implications if this was not true. If you took your phone to a coffee shop and logged on to their free wifi to do banking, would you like the coffee shop to be able to see all your bank account information? Because your phone is communicating with the bank's website using HTTPS, and because the coffee shop cannot spy on the traffic without you getting a warning, you know that communication is secure. A coffee shop (or your company) cannot use a Sophos web proxy to silently decrypt all HTTPS traffic without the user allowing it, either by having them install a CA or go through browser warnings.

You must use the CA that comes with the firewall or create your own CA certificate, which can be a self-signed root. Your Microsoft Active Directory also has its own Certificate Authority (see Active Directory Certificate Services) where you can create an intermediate/leaf CA that you can use within the firewall.

If it were possible to purchase a signing CA that is ultimately authenticated by a public root CA, it would break the whole trust model on which SSL authentication is based. The trust model depends on the organizations who control the trusted root certificates being selective and applying strict criteria about when they allow a certificate to be signed. For example, they should only sign a certificate for google.com if the person requesting the certificate can prove that they control that domain.

But if they issued a certificate to a third party that could be used to sign whatever certificate that third party likes, they would basically be delegating the ability to create and sign certificates for ANY domain that would be trusted automatically by ANY browser. It would allow the purchaser of that certificate to set up their own website and pretend to be google.com, or facebook.com, or wellsfargo.com or anyone they like, and browsers would just accept it.

Regards,
Deepak Kumar
#14
emnoc
Expert Member
  • Total Posts : 5082
  • Scores: 311
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Certificate for https traffic 2018/12/03 07:05:25 (permalink)
0
Agreed 100% with  Kumar analysis.
 
Ken Felix

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#15
Hasanen Bashir
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/03 13:52:49
  • Status: offline
Re: Certificate for https traffic 2018/12/03 13:56:43 (permalink)
0
Hey,
 
you need a CA and create A CSR after that attached it with your device , let me know if you still have a difficulies to support you
 
 
 
 
#16
Abed ALR
Bronze Member
  • Total Posts : 26
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/05/11 07:20:42
  • Status: offline
Re: Certificate for https traffic 2018/12/04 00:13:05 (permalink)
0
Hi,
 
AFAIK, yes you need to install the fortigate certificate on all the workstations in order to trust the firewall the in inspecting your workstation traffic . using the certmgr.msc from cmd . I think you can do this via GPO if its many workstations .
This is true not only in Fortigate enviroments , we used to do that in other environments using other vendors proxies ..

Thanks
#17
sw2090
Gold Member
  • Total Posts : 247
  • Scores: 8
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Certificate for https traffic 2018/12/04 23:38:47 (permalink)
0
v20100,
 
For your basic understanding:
 
if you want to inspect encrypted connections you do have to use deep inspection - correct so far!
Basically in this case your FortiGate has to do somewhat Man-in-the-middle (MitM). This means it has to catch the encrypted connection and decrypt it, inspect it and then re-encrypt it and hand it on to the client.
To encrypt you need the private key for the certificate and your FGT will of course not have private keys of remote side certificates. So the FGT must use it's own certificate to do this. For this Fortinet shipped the FGTs with a self-signed Fortinet certificate plus CA Certificate which is used by default. Since it is self-signed you will indeed have to roll the Fortinet CA Certificate out to your client to enable them to validate that certificate. Otherwise your clients will give you certificate errors like you reported.
 
Since you would afair need a sub-ca certificate for deep inspection which you might not get in public as someone wrote before the best solution will be to set up your own CA and publish it'S CA to your clients and the FGT and then generate the sub-ca with it. I'd btw recommend to initialize certificate generation for a FGT by creating a csr on the FGT because it then already has the keys.
 
That's also the way I do it here.
 
#18
Jump to:
© 2018 APG vNext Commercial Version 5.5