Troubleshooting Tip: How to resolve certificate verification error when FortiGate connects to FortiClient EMS
| Description | This article describes how to resolve the following error:
|
| Scope | FortiGate, FortiClient EMS. |
| Solution | The 'Failed to verify the certificate for server 'EMS 1 - ems' error means the device does not trust the server's security certificate, often due to missing root CAs, expired certs, time sync issues, or incorrect server config. Note: If custom certificates are used, the FortiGate must trust the entire certificate chain to authorize the FortiClient EMS server. If the root CA certificate has already been imported and the error persists, the most likely cause is that the intermediate CA certificate has not been correctly imported.
But the following error is observed in the GUI, despite the intermediate and root certificates already being present in FortiGate.
The wildcard certificate is being used in FortiClient EMS, under the Web server Certificate in FortiClient EMS Settings. Go to the URL of the FortiClient EMS server and check which root and intermediate certificates are in use.
In FortiGate, Intermediate and root certificates are found under the Remote CA section in System -> Certificates.
To resolve the issue, follow the steps below:
Next, in FortiClient-EMS, install the same cert.pem bundle file in System Settings -> EMS Settings -> Web server Certificate, once both Certificate Matches, the EMS Server will be connected successfully on FortiGate
Note: If the FortiClient EMS GUI is accessed through an Endpoint Proxy installed machine, the proxy device may replace the GUI's SSL certificate with its own certificate. To retrieve the actual EMS certificate, disable the proxy or access the GUI from a network that does not use a proxy.
Troubleshooting Tip: EMS certificate not authorized |
