Technical Tip: mTLS Certificate troubleshooting with proxy mode policy
| Description | This article describes how to troubleshoot when an intermediate certificate is used in mTLS. |
| Scope | FortiGate. |
| Solution | If the mTLS client certificate fails when an intermediate certificate is used, and if an error on WAD debug similar to the following logs,
[I][p:6711][s:1151737403] wad_vs_log_clt_cert_failure :98 19:mTLS: Traffic denied because cert auth failed, cert-cn xxx test1, cert-issuer:YYYY CA 2021, cert-status:failure fail-reason:unable to get issuer certificate [I][p:6711][s:1151736856] wad_vs_ssl_port_caps_c2p_on_client_hello:10743 19:mTLS: wsp(0x7f81b07048) handshake recv ClientHello record 3.1 client 3.3 supported 3.4 [V][p:6711][s:1151736856] wad_vs_ssl_c2p_check_alpn :24145 wsp=0x7f81b07048, alpn=h2 [V][p:6711][s:1151736856] wad_vs_ssl_c2p_check_alpn :24154 wsp=0x7f81b07048, vs server set alpn http2 [V][p:6711][s:1151736856] wad_vs_proxy_match_vhost :4407 19:mTLS: matching vhost by: x.x.x.x [V][p:6711][s:1151736856] wad_vs_matcher_map_find :764 Empty matcher! [V][p:6711][s:1151736856] wad_vs_proxy_match_vhost :4410 19:mTLS: no host matched.
Follow the following steps to configure the certificate:
config authentication setting set user-cert-ca "CA_Cert_root" <----- ROOT CA Certificate. end
config user certificate edit "trusted-ca" set type trusted-issuer set issuer "CA_Cert_Intermed" <----- Intermediate CA Certifcate. next end
To implement mTLS client certificate authentication, refer to this document: mTLS client certificate authentication |