Has Fortinet issued a TLS cert for my domain?



  • I run a web site and email server for purely personal purposes on a VPS. I created a self-signed cert for the server and installed the relevant CA cert as a profile on my iPhone as well as on desktop Firefox. This has worked fine for a long time.

    Just now, connected to no event I can identify, the iPhone claims the server cert is not trusted. Upon inspecting the cert on the phone, I see that it has been issued by Fortinet rather than my self-created CA. The DNS entries are the same as are the validity dates. The key length is different (mine: 3072, theirs: 2048).

    As of now, Firefox on the desktop is still working as before. The cert files on the server have not changed.

    This has me a bit nervous. Can anyone shed light on what might be going on here?



  • After a bit of back and forth with the OP in the comments following the question, it turns out that the OP was only experiencing this problem on his iPhone when his iPhone was connected his workplace's network (presumably by WiFi).

    The most likely explanation for this was that his workplace may have implemented Fortinet's security product at the perimeter of its network, to protect all of the devices on its network. To do this, the security product must do 'deep packet inspection' to inspect traffic in and out of the network for viruses, malware, etc. To do this, the security product must essentially MITM all SSL/TLS connections. To do this, Fortinet's CA certificate must be installed on all devices on the network.

    While the workplace may be able to install Fortinet's certificate on company owned devices, they most likely are not be able to do so on employee-owned devices (like OP's iPhone). The fact that Fortinet's certificate was not installed on OP's iPhone is probably the most plausible explanation for the certificate error that OP was getting when he tried to reach his own site from his iPhone while connected to his company network. If that's the case, then others connecting personal devices to the same network probably experienced similar problems. Realizing the problems caused by what they were doing, it seems that the workplace may have disabled the security product (at least for part of the network where employee's can connect their own devices).



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2