Certificates Flashcards
Which attribute or extension identifies the owner of a certificate?
The subject name
Which configuration requires FortiGate to act as a CA for full SSL inspection?
Multiple clients connecting to multiple servers
Which inspection mode can protect your LAN devices from encrypted malware?
Deep inspection
What certificate standard does FortiGate use?
X.509v3
Who acts as the FortiGate OSCP responder?
FortiAuthenticator
What does FortiGate check before trusting and using a certificate?
- Revocation check
- CA certificate possession (issuer)
- Validity dates
- Digital signature validation
How does FortiGate verify a digital signature?
- Runs certificate through a hash function/algorithm
- FortiGate hash result must match the CA result
What is SSL inspection mode used for?
- Web filtering
- Application control
What does SSL inspection do?
- FortiGate inspects the certificate and packet header
- Then, checks for a match between the site visited and the certificate presented
What does FortiGate act as in full SSL inspection?
Main-in-the-middle proxy
What is a difference between SSL inspection and full SSL inspection?
- SSL inspection does not decrypt packets
- Full SSL inspection decrypts and encrypts packets using its own keys
- In full SSL inspection, FortiGate can inspect the traffic
How do sessions work in full SSL inspection mode?
- Two separate SSL sessions are maintained
- Client-To-FortiGate, and FortiGate-to-server
Where can you select the SSL inspection mode?
At the firewall policy level
What are the pre-defined SSL profiles?
- no-inspection
- deep-inspection
- certificate-inspection
What should you do if you want to modify a SSL profile?
- Use custom deep-inspection
- Pre-defined profiles cannot be modified
Why might you exempt sites from SSL inspection?
- Problems with traffic (ex. HSTS)
- Legal issues
How does FortiGate inspect encrypted traffic?
Intercepts the certificate coming from the server, then generates a temporary one
What certificate is installed by default on FortiGate?
- A self-signed encrypting SSL CA certificate
- Fortinet_CA_SSL
How would you avoid warnings on a user device when using the default FortiGate Self-Signed certificate?
- Install CA certificate Fortinet_CA_SSL as a trusted CA on user devices (import into browsers)
- Install a company CA certificate on FortiGate for full SSL inspection
What is a certificate requirement for full SSL inspection?
Requires that FortiGate acts as a CA to generate an SSL private key and certificate
What is the default SSL inspection profile?
no-inspection
What are limitations of the no-inspection profile?
- No web filtering
- No application control
Where can you find the FortiGate HTTPS Server Certificate?
System > Settings
What functions would you need to import a private certificate for?
- FortiGate GUI
- SSL-VPN tunnels
What error is NET::ERR_CERT_AUTHORITY_INVALID indicative of?
HSTS issues
What is a possible workaround for sites with an HSTS requirement that having issues?
- Exempt websites from full SSL inspection
- Use SSL certificate inspection instead
- Adjust browser settings
