• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.
  • Welcome to iHelpForum - the place to get help from knowledgeable techs in all areas of Tech, Home and Auto help. Consider checking out our Guides or Registering an account to post on our forums today.

SSL Certificates installed to FortiGate firewalls

DCiAdmin

Always room to learn a bit more
Administrator
iHF Legend
WCG Team Member
#1
Does anyone have experience with SSL certificates? I've redownloaded my SSL certificates to potentially fix an issue with the company's public websites and iPhones. The download includes nothing but .CRT files. I'm not finding clear instruction to complete my task to upload to my Fortinet units. In each download I have 4 files - AddTrustExternalCARoot.crt, OV_NetworkSolutionsOVServerCA2.crt, OV_USERTrustRSACertificationAuthority.CRT, and the STAR.MyWebSite.COM.crt file.

Everything talks about Local Certificates, CA Certificates, and Private Keys. 3 of the 4 files have the Begin Key / End Key but they aren't in the format I would expect. Ugh.... Why isn't there clear instruction for any of this?
 

DCiAdmin

Always room to learn a bit more
Administrator
iHF Legend
WCG Team Member
#3
The only thing that makes sense of that to me is that it looks like I might need to have the certificate reissued. And that may still be the case. These certificates were originally issued in 2015 when SHA-1 was the top security format. That has since moved to SHA-2, and I *think* that might be why Safari is griping. I'm not sure that my certs have SHA-2 authentication built-in.

I don't believe I have the wrong thing, I'm just not sure that I have the right thing. If that makes any sense.
 

DCiAdmin

Always room to learn a bit more
Administrator
iHF Legend
WCG Team Member
#7
By the way. You need to check your browser security settings before you condemn your Cert. :)
Safari is showing the cert for the company's web sites as invalid. Windows browsers don't have the issue. As the certs have been in place on my firewalls for about 18 months, I'm guessing that Safari had an update that has blown things up. Either that or the certs went corrupt somehow. Hence my limited attempt to reupload freshly downloaded copies. Either way, ugh...
 

DCiAdmin

Always room to learn a bit more
Administrator
iHF Legend
WCG Team Member
#9
Valid, but I don't control the end user access. The firewall is the only part of this that's relevant to my control, so I've got to do something with the certificates. I am not expecting that a fresh upload of newly downloaded certs from 2015 will sort this. As your previous link stated, it likely comes down to a reissue.
But unfortunately, I'm stumped at the reupload to even begin testing. What downloaded from the Certificate Authority isn't quite what is being asked for by the firewall.
 

DCiAdmin

Always room to learn a bit more
Administrator
iHF Legend
WCG Team Member
#11
Sadly, multiple reports from iOS devices using Safari. I was able to duplicate the issue on a test Mac that we have in the office.
 

Lord Chance

iHelpForum Jester & Door Greeter
iHF Veteran
Advisor
WCG Team Member
#12
I have not done Cert levels in years M'Lady. It all depends on the Admin interface of the Web Server. If it is an outdated key then other browsers should complain. But if the SHA-1 key is becoming obsolete then it is time to update the Cert. As this may be the case from what I am seeing.
 

DCiAdmin

Always room to learn a bit more
Administrator
iHF Legend
WCG Team Member
#14
Multiple times. I keep rereading it and it still doesn't make sense. At least, not with what I've got downloaded.
 

Lord Chance

iHelpForum Jester & Door Greeter
iHF Veteran
Advisor
WCG Team Member
#15
You should only have to enter the Cert information and key then let the interface generate or regenerate the Cert. If you use another Cert Authority then you would import the Cert. The files in your first post are what has been generated and if I miss my guess need to be deleted and regenerated.
 

Lord Chance

iHelpForum Jester & Door Greeter
iHF Veteran
Advisor
WCG Team Member
#17
I'm about to run out but will reread later what you just said. That *almost* gets through to me. btw, "similar threads" shows this from 11/23/2016
Yes. I have seen that and other references as such thus my comment about updating the Cert. :)

Have a good time. :)
 

Lord Chance

iHelpForum Jester & Door Greeter
iHF Veteran
Advisor
WCG Team Member
#18
Doing some research it appears your CA is Network Solutions. The four .crt files are created using the key provided to your CA. Since I am not familiar with Fortinet I won't be much help with install/generating the SSL Cert. By the way, One of those .crt file is for legacy browsers.

  • AddTrustExternalCARoot.crt
  • OV_NetworkSolutionsOVServerCA2.crt
  • OV_USERTrustRSACertificationAuthority.crt
  • STAR.MYWEBSITE.COM.crt
You will use all the above files EXCEPT AddTrustExternalCARoot.crt. It is a legacy file for use in circumstance (for example, an Intranet) where very old legacy browsers are used.

As I remember it the Local Cert is generated by the Root CA or Server. The CA Cert is generated by the Cert Authority and the Private Key is used by the CA to generate the CA Cert. Make sense? :)
 

DCiAdmin

Always room to learn a bit more
Administrator
iHF Legend
WCG Team Member
#19
Oooo, that might make sense. I'll get the FortiGate pulled up so I can review directly against what it is requesting. Thank you, LC!
 

DCiAdmin

Always room to learn a bit more
Administrator
iHF Legend
WCG Team Member
#20
And the answer is.....
It is not possible to do what I was trying - to download an existing certificate and reupload to the FortiGate. The cert must be reissued to install, so the PDF that you suggested, LC, has the answer.

I had reviewed that durn PDF numerous times and refused to believe that what I wanted to was impossible. But a discussion today with Nilesh from Fortinet proved that to be the only answer. I have successfully created a CSR, requested reissue, and installed 1 of my 2 SSL certs. And yes, the reissued cert with latest SHA2 encryption did resolve the issue with DCi's websites viewed on Safari on a Mac. 1 more cert to complete reissue and reinstallation and hopefully all will be well tomorrow.

btw, Network Solutions said that their methods of updating encryption technologies shouldn't require a cert reissue, but sometimes. Ugh...

Solved :)