Installing the Default FortiGate SSL Cert on the iPads using AirWatch

If using SSL inspection on a firewall policy, the FortiGate's SSL cert will need to be installed on the end devices. If the cert is not installed the device will display errors when attempting to access HTTPS websites. You can choose to continue to the website despite the error, however it is annoying to have to do so.

The FortiGate portion of this document is copied from

When full SSL inspection is used, your FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the end user. This is the same process used in “man-in-the-middle” attacks, which is why a user’s device may show a security certificate warning.

For more information about SSL inspection, see Why you should use SSL inspection.

Often, when a user receives a security certificate warning, they simply select Continue without understanding why the error is occurring. To avoid encouraging this habit, you can prevent the warning from appearing in the first place.

  1. Generate a unique certificate on the FortiGate by running the following CLI command: exec vpn certificate local generate default-ssl-ca
  2. Download the certificate used for full SSL inspection from the FortiGate.
    1. Go to Security Profiles > SSL/SSH Inspection. Use the dropdown menu in the top right corner to select deep-inspection, the profile used to apply full SSL inspection.
    2. The default FortiGate certificate is listed as the CA Certificate. Select Download Certificate.
  3. Create a profile in AirWatch to install the cert on the iPads.
    1. Created a new profile and configure the Credentials option.
    2. Set the Credential Source dropdown menu to Upload.
    3. Click Upload and upload the newly downloaded cert file.
      1. The Credential Name field should be automatically filled in and information about the cert displayed under the Certificate section.
    4. Save and publish the profile.
      1. You can verify the cert has been installed on an iPad by confirming that it is listed on the iPad in Settings→General→Device Management→Profile(Workspace Services)→More Details.
  • airwatch/install_fortigate_cert_ipads.txt
  • Last modified: 2019/03/15 17:32
  • (external edit)