Why does FortiGate send self-signed Root CA Certificate in IKEv2 CERT payload?

Forum|Forum|3 years ago
September 12, 2022
1 reply
2503 views

Irrespective whether the FortiGate server certificate is directly issued by a Root CA or by an Intermediate CA, the Root CA is always sent to the IPsec VPN client in the CERT payload of the IKE_AUTH response. This doesn't make any sense since no peer is going to trust a self-signed certificate received via an untrusted channel. Omitting the unnecessary Root CA certificate would help to reduce the number of IKEv2 fragments needed to transmit the huge IKE_AUTH response.

FortiGate

pminarik

Staff

Hi strongX509,

For better or worse(?), this is a consistent pattern in TLS as done by FortiGates.

You will see the same behaviour with admin GUI, SSL-VPN, captive portals, HTTPS-type server-load-balancing VIPs, ...

It doesn't technically break anything, which is, I assume, the reason why this has never been addressed.

FortiJ

New Member

This is not correct. RFC specify that the chain should be included while the root ca should not. Also ssl labs check shows an error if the root ca is sent by the server. So the Fortigate that is acting as an SSL Server must complain to the RFC

pminarik

Staff

Strictly speaking, the topic is IKEv2. This is not SSL/TLS, and the FortiGate is not acting as an SSL server.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded