Troubleshooting Tip: How to avoid the error 'Sign error' when connecting to Remote VPN with certificate based authentication

When connecting to a remote VPN via FortiClient EMS with certificates, a 'Sign failure' error can occur if the certificate used does not contain the associated private key. Certificates in .crt format typically only contain the public key and are insufficient for operations requiring a private key, such as signing during VPN authentication.

The issue can be resolved by using a signed certificate in .pfx (PKCS #12) format instead of a .crt certificate. Unlike .crt files, which typically contain only the public certificate, a .pfx file includes both the public certificate and its associated private key, which is required for VPN authentication.

Additionally, a signed certificate that includes the private key can usually be identified by its icon, which displays a small key symbol. This visual indicator confirms that the certificate contains the private key and is suitable for authentication purposes.

Note: There is a known issue that will also cause the disconnection with the 'sign failure' message if the certificate CN contains a comma. For example: 'Surname, First Name'. This issue will be resolved in FortiClient versions 7.4.7 and 8.0.0.