Technical Tip: Unable to authorize EMS server with a custom certificate, even though the CA cert is imported correctly
| Description | This article describes how to resolve a scenario where the EMS server cannot be authorized even though there is the correct CA cert on the firewall. |
| Scope | FortiOS 7.x.x+. |
| Solution | When using a custom certificate on the EMS server signed by a custom CA, there is a chance that there will be an intermediate certificate as part of the chain for that certificate. This would also be required on the firewall in order to authorize the EMS server. It is possible to check for this by using OpenSSL to verify the CA cert against the cert imported on the EMS server. Here is a download for the OpenSSL binary: OpenSSL Binary Distributions for Microsoft Windows.
openssl verify -CAfile ca_cert.cer ems_cert.cer
Replace the file names with the CA certificate and the EMS certificate respectively.
openssl verify -verbose -CAfile ca_cert.cer -untrusted intermediate.cer ems_cert.cer The following is the output of this command when the full chain is present:
   |