Table of Contents
Introduction
When browsing the web through a Fortinet firewall that intercepts HTTPS traffic, your device might show a certificate warning. This happens because the Fortinet appliance presents its own certificate for SSL inspection. If your device does not trust the Fortinet root certificate, you’ll see an error message.
Impact:
- Interrupted secure web access
- Confusing error messages for end users
- Potential security risks if users bypass warnings
Understanding the Error Message
What Is a Root Certificate?
A root certificate is the top-level certificate in a chain of trust. It signs one or more intermediate certificates, which in turn sign end-entity (server) certificates.
- Root Certificate: Must be installed in your operating system or browser’s trusted certificate store.
- Intermediate Certificates: Bridge the trust between the root and server certificates.
Diagram of a Certificate Chain:
How Fortinet Uses SSL Inspection
Fortinet appliances perform SSL/TLS inspection by decrypting HTTPS traffic, scanning it for threats, and then re-encrypting it before sending it to the client. To do this, the appliance generates and presents a certificate that mimics the destination website.
- Why the Error Occurs:
If your device hasn’t been configured to trust the Fortinet Certificate Authority (CA), it will reject the certificate, leading to the error.
Reference: See community discussions on Fortinet certificate errors.
Troubleshooting the Issue
Step 1: Verify Fortinet Configuration
Check SSL Inspection Settings
- Log into the FortiGate Management Interface:
Navigate to Policy & Objects > Security Profiles. - Review the SSL Inspection Profile:
Confirm that the deep SSL inspection (or certificate inspection) profile is enabled.
Step 2: Download the Fortinet Root Certificate
How to Download the Certificate
- Access the Certificate Settings:
Log into your FortiGate appliance and go to Security Profiles > SSL/SSH Inspection. - Download the Certificate:
Locate the certificate labeled “Fortinet_CA_SSL” (or a similar name) and click on Download Certificate.
Note: Ensure that the certificate version matches your FortiGate firmware and inspection configuration.
Step 3: Install the Certificate on Client Devices
For Windows Clients
- Open the Certificate File:
Double-click the downloaded certificate file. - Launch the Certificate Import Wizard:
Click Install Certificate. - Select Local Machine:
Choose Local Machine and click Next. - Choose the Store:
Select Place all certificates in the following store and choose Trusted Root Certification Authorities. - Complete the Wizard:
Click Finish and, if prompted, confirm the installation. Restart your browser afterward.
For macOS Clients
- Open the Certificate:
Double-click the certificate file to open it in Keychain Access. - Install the Certificate:
Drag the certificate into the System or login keychain. - Set Trust Settings:
Double-click the certificate, expand the Trust section, and set it to Always Trust. - Restart the Browser:
Close and reopen your browser to apply the new settings.
For Firefox Clients
Firefox maintains its own certificate store:
- Open Firefox Options:
Go to Options (or Preferences) > Privacy & Security. - Manage Certificates:
Scroll down to the Certificates section and click View Certificates. - Import the Certificate:
In the Authorities tab, click Import, select your Fortinet CA certificate, and choose to trust it for website identification. - Restart Firefox:
Restart Firefox for changes to take effect.
Step 4: Verify and Test the Installation
- Check the Certificate Chain in Your Browser:
Click the padlock icon in your browser’s address bar when visiting an HTTPS site. Ensure the Fortinet root certificate appears as part of the certificate chain. - Use Online Tools:
Run your site through online tools like SSL Labs’ SSL Test to verify that the full certificate chain is correctly served.
Best Practices and Prevention
Automating Certificate Distribution
- Windows Domain Environments:
Use Active Directory Group Policy to automatically distribute the Fortinet CA certificate to all domain-joined machines. - Mobile Devices and Macs:
Use a Mobile Device Management (MDM) system to push the certificate to end devices.
Regular Certificate Management
- Monitor Expiry Dates:
Regularly check the expiry dates of your Fortinet CA certificate and update as necessary. - Firmware Updates:
Keep your FortiGate firmware up to date to ensure that SSL inspection and certificate handling work optimally.
Educating End Users
- Inform Users About Certificate Warnings:
Educate your team on the importance of proper certificate installation so they know not to ignore warnings without proper validation.
Frequently Asked Questions (FAQ)
Why am I receiving this error message?
This error indicates that your device does not trust the Fortinet certificate because the required root certificate is missing from your trusted store.
Where can I download the Fortinet root certificate?
Log into your FortiGate appliance, navigate to Security Profiles > SSL/SSH Inspection, and download the certificate (often labeled “Fortinet_CA_SSL”).
How do I install the certificate on different operating systems and browsers?
- Windows: Use the Certificate Import Wizard to add the certificate to the Trusted Root Certification Authorities store.
- macOS: Use Keychain Access to install the certificate and set it to “Always Trust.”
- Firefox: Import the certificate via Firefox’s certificate manager under the Authorities tab.
Can I bypass SSL inspection to avoid this error?
While you can create exceptions to bypass SSL inspection on certain sites, this may reduce overall network security. It is best practice to install the certificate on client devices.
Comments