🎯首先创建用于颁发SSL证书的证书签名请求（CSR）。使用Ubuntu服务器，生成私钥yurisk.com.priv.key和CSR文件yurisk.com.request.csr，需注意保护私钥安全。

📄接着使用yurisk.com.request.csr申请SSL证书，可通过instantssl.com获取30天免费证书，下载证书yurisk_com.crt后将其及可能的中间证书导入Fortiweb。

🔒最后启用HTTPS服务并在服务器策略中设置使用的SSL证书，此过程中Fortiweb承担所有SSL相关的加密/解密任务，被称为SSL卸载。

Task: Taking the basic setup a step further, let's enable HTTPS protocol between clients and Fortiweb for the yurisk.com.

Solution.

Step 1. Create certificate signing request (CSR) to use in issuing the SSL certificate.

I will use Ubuntu server. It does not have to be a server actually hosting the website yurisk.com as long as I have the private key used in generating this CSR file.

Here I create a private key yurisk.com.priv.key and CSR yurisk.com.request.csr. While you can produce the private key file unencrypted by adding -nodes option, it is highly discouraged in production as anyone with this key can impersonate the SSL certificate of the website.

openssl req -newkey rsa:2048 s -keyout yurisk.com.priv.key  -out yurisk.com.request.csrGenerating a RSA private key................................................+++++..............................................................................................+++++writing new private key to 'yurisk.com.priv.key'Enter PEM pass phrase:Verifying - Enter PEM pass phrase:-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:ILState or Province Name (full name) [Some-State]:JerusalemLocality Name (eg, city) []:JerusalemOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Yurisk LtdOrganizational Unit Name (eg, section) []:ITCommon Name (e.g. server FQDN or YOUR name) []:yurisk.comEmail Address []:yuri@yurisk.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:root@ubuntu1:~# 

Now I can use yurisk.com.request.csr to issue the SSL certificate. For this lab I used instantssl.com to get a free 30-day certificate, but of course any SSL CA provider will do. Once issued, I downloaded the ready-to-use certificate as a file yurisk_com.crt and can move to step 2.

Step 2. Import SSL certificate and potentially intermediate certificates into Fortiweb.

System -> Certificates -> Local -> Import ....

I use here the password set when generating the private key earlier on Ubuntu server.

The result looks like:

Step 3. Enable the HTTPS service and set the SSL certificate to use in Server Policy.

Policy -> Server Policy -> Edit ....

NOTE: I did not enable HTTPS or change the configuration of the Apache servers at all. The conneciton between Fortiweb and Apache servers stays cleartext on port 80. This is called SSL offloading - all the SSL related encryption/decryption is being done by the Fortiweb only, to offload these tasks from physical servers.
It is possible of course to enable SSL connection also between Fortiweb and internal servers.

Verify

For verification let's enter the https://yurisk.com. Also, to make sure the policy just Alerts, not blocks attacks, I will run dirbuster against the website.

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.