Authentication : Stopping the “Connection is untrusted” message
Stopping the “Connection is untrusted” message
When you first connect to a FortiGate unit with your web browser, a message may appear questioning the connection’s security. How do you prevent this?
When you see a “Connection is untrusted” type message, it means there is a problem with the certificate for the website you are connecting to.
Anytime you browse a website, you are using either HTTP or HTTPS. The difference between them is that HTTPS has security. This security is in the form of certificates that identify the source as being legitimate. Without a valid certificate, the customer does not know if it is really the true website, or if a hacker hijacked their connection with malicious intent.
With FortiGate units, this message occurs for two reasons — because the default certificate used by the FortiGate unit is a self-signed certificate, and because the certificate is valid only for the FortiGate unit. To be trusted, a certificate must be signed by a known certificate authority (CA) that the web browser can verify. For example if Fred’s certificate is signed by Bob, and Bob’s certificate is signed by Peter, then anytime someone check’s Fred’s certificate they must be able to trace it back to Peter and verify that Peter is trustworthy. Any break in that chain, and Fred’s certificate is seen as untrustworthy.
Contact your ISP or other online services provider to get a trusted intermediate CA certificate for your FortiGate unit. When you are giving them the information, make sure it is clear where you will be using this certificate: on an internal network, a public facing website, or across your enterprise. Ensure it is a CA certificate as this allows you to sign certificates for local users for applications such as VPN.
Generally online services providers include a form for you to fill out to create your certificate when you are paying for it on their website. However another common method is to generate a certificate signing request (CSR) with an application like openssl. This is a request that is sent to the certificate authority providing you with your certificate. They process the request, usually automatically, and return a certificate to the email address provided based on the information in the CSR.
The certificate from the CA is a text file that contains the information you included in the CSR as well as details about the CA who issued the certificate, when it was issued and when it expires, and the “fingerprints” or encryption associated with it.
To install a CA certificate from your computer to the FortiGate unit you go to System > Certificates > CA Certificates and select Import. After you browse to the certificate file, which is usually a .cer or .p12 format text file, and select it will be installed on your FortiGate unit. You can verify this by refreshing the display to see the new certificate. It will be displayed by name and subject, and you can select it for more in-depth details if you need to verify it.
Now when you are using HTTPS or other SSL connection, your FortiGate unit will not generate “untrusted” certificate-based error messages.