Digital Certificates Flashcards
How does Fortigate use digital certificates?
Inspection
Privacy (SSL connections)
Authentication
What standard of certificates does Fortigate support?
X.509v3
How does FortiGate validate certificates before trusting it?
Checks local CRL (serial number)
Reads Issuer field to see if it has the corresponding CA certificate.
Verifies date validity
Verifies the digital signature.
What is a fresh hash?
Is formed when Fortigate runs the digital cert through the specified has.
What is the original hash?
It is when the CA runs the digital cert through its hashing algorithm and then encrypts it.
Does Fortigate need SSL to connect to FortiGuard?
yes
What can SSL Certificate inspection help you secure? (three things)
Verify ID of web serverse
Web filtering
Application control
In order to allow FTG to act as a CA what two extensions need to be configured?
cA=True
keyUsuage=keyCertSign
For SSL deep inspection: does FTG need to have a chain of CA certificates installed?
Yes, so that the client can verify and build a chain of trust.
What must you select in SSL/SSH inspection profiles to do outbound connections?
You must select Multiple Clients Connecting to Multiple Servers
What are the three options for untrusted SSL certificates?
Allow, Block, Ignore
What does allow Untrusted SSL certificates do?
Fortigate sends a temporary cert signed with its built-in Fortinet_CA_Untrusted certificate. A warning pops up on the browser.
What will happen if you don’t import the Fortinet SSL certificate into the users browser?
A warning will be presented even if Fortinet trusts the original SSL certificate.
What will happen if you ignore untrusted browser certificates?
Fortigate sends a temporary cert for all trusted or untrusted certificates.
What does HPKP stand for?
HTTP public key pinning
