Technical Tip: Unable to connect to SSL VPN due to 'Certificate check error failed'
| Description | This article describes a solution for users who are unable to connect to the SSL VPN due to PKI authentication failure. If users are unable to authenticate with PKI authentication and observe certificate check error failed in debugs. |
| Scope | FortiGate. |
| Solution | When SSL VPN is configured to authenticate using the client certificate but unable to connect to the VPN. In the SSL VPN debugs, the following error appears:
This issue appears when the PKI user created on the firewall is not configured correctly.
config user peer edit "ABC" set ca CA_Cert_1 set subject 'C =SG, ST =abc, L =abc, O =xyx, OU =User1, CN =User01, emailAddress =domain.com next end
The certificate used has been configured with specifying space between the attributes (for example C = SG, ST = abc). However, the firewall subject is configured without having any space (C =SG, ST =abc ). So in debugs, the configuration on the firewall and certificate is mismatched which does not authenticate the user.
After specifying the space under FortiGate configuration as set subject C = SG, ST = abc, L = abc, O = xyx, OU = User1, CN = User01, emailAddress = domian.com user should be able to authenticate. |
