Helpful ReplyHot!Wildcard certificate for deep SSL inspection ? How to ???

Author
Philippe ASTIER
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/04/03 10:32:00
  • Location: France
  • Status: offline
2018/08/06 07:03:53 (permalink)
0

Wildcard certificate for deep SSL inspection ? How to ???

Hi all,
 
I know this has been debated many times, but still can't solve it.
 
I have a wildcard valid SSL certificate which I try to importe to my FortiGate. Of course, I have all relevant information, including private key.
 
No matter what I do, it gets imported to "Certificates" rather than "Local Certificates". I can use it as my Fortinet certificate, I can use it for VPN SSL, but I can not use it for deep inspection.
 
I'm trying different formats, but the results is always the same. Is there any valid procedure for that? 
#1
Bromont_FTNT
Platinum Member
  • Total Posts : 558
  • Scores: 43
  • Reward points: 0
  • Joined: 2012/11/19 07:22:36
  • Status: offline
Re: Wildcard certificate for deep SSL inspection ? How to ??? 2018/08/06 07:16:35 (permalink)
0
Is that wildcard cert also a signing certificate? (CA:TRUE) Unlikely.... You'll need to create your own and import your root/intermediate into your workstations.
#2
Philippe ASTIER
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/04/03 10:32:00
  • Location: France
  • Status: offline
Re: Wildcard certificate for deep SSL inspection ? How to ??? 2018/08/06 07:21:21 (permalink)
0
Well CA:FALSE.... Damn.
 
Let's put it the other way round.
I need to do deep inspection, and can NOT deploy a certificate, as there will be many guests to which I can not deploy it.
 
Any plan for this ?
#3
emnoc
Expert Member
  • Total Posts : 5020
  • Scores: 308
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Wildcard certificate for deep SSL inspection ? How to ??? 2018/08/06 08:52:07 (permalink) ☄ Helpfulby Philippe ASTIER 2018/08/06 08:55:00
0
Impossible, you need to deploy a certificate or the web-browser will have cert-issuer errors . If you want MiTM you are forging  certificates on the fly and the CA ( fortigate ) has to be trusted . No way around this.
 
You could also look at explicit proxy but you have to provide the proxy details to the client
 
Ken

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#4
Philippe ASTIER
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/04/03 10:32:00
  • Location: France
  • Status: offline
Re: Wildcard certificate for deep SSL inspection ? How to ??? 2018/08/06 08:56:28 (permalink)
0
Seems totally logical. Explicit Proxy is not a bad idea at all.
 
What should be a solution would be to inspect the traffic, but pass on the original traffic to the client, without reencryption....
 
#5
SecurityPlus
Gold Member
  • Total Posts : 225
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
Re: Wildcard certificate for deep SSL inspection ? How to ??? 2018/08/09 21:54:35 (permalink)
0
There is not a way on the FortiGate to decrypt/spect the traffic, then if the traffic passes inspection, to pass on the original traffic to the client, without reencryption as Philippe asked above is there?
#6
Jump to:
© 2018 APG vNext Commercial Version 5.5