Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
warshad
Staff
Staff

Created on ‎12-16-2021 10:22 PM Edited on ‎11-10-2023 04:39 AM By Community Manager

Article Id 201261

Troubleshooting Tip: Invalid server certificate - FortiToken Mobile cannot validate the server certificate

Description This article describes how to fix an issue with a FortiToken mobile app upgraded where users receive an 'invalid server certificate: Fortitoken Mobile cannot validate the server certificate' error after pressing approve/deny on the push notification request.
Scope FortiAuthenticator and FortiGate
Solution

There are multiple ways to address this issue. These will depend on the current setup:

 

  1.  Preferred:
    Use a publicly trusted CA-signed certificate on the FortiAuthenticator that contains the FQDN used under Administration -> System Access -> FQDN/Public IP in its subject. The respective sections:


a) import the server certificate as .p12 (PKCS12) or separate .cer+.key file (only these two options work)

   

       a. Import the server certificate as .p12 (PKCS12) or separate .cer+.key file (only these two options work).

2_trusted_CA_IMPORT.png    

     b. Import the public intermediate CA certificate that signed the server certificate.

3_webserver_cert_CHANGE.png

     

     c. Lastly, select the certificates. When applying the change, the web server of FortiAuthenticator restarts. That affects administrative sessions, captive portal as well as SAML users.
     d. In the screenshots example, an IP is set for 'Public IP/FQDN for FortiToken Mobile' is used. It should be the actual FQDN that end users can resolve and match the 'HTTPS certificate' Subject in "CN" - staying with the example, it would be portal.forti.lab.

As an alternative to 1. an MDM, that manages the user base, can install a trusted internal CA to end users. This CA may then also be used on the FortiAuthenticator as per the first step.

  1. Enable 'Allow connection to an unverified server' in the Security settings in the Info section of the FortiToken Mobile application. This is not recommended, since end users should not be educated to ignore certificate warnings. These appear for a reason.
  2. On FortiGate, it is possible to follow the same steps as 1. However, the certificate imported in the System -> Certificates, can only be used for FortiToken Mobile push in the CLI section 'config system ftm-push' along with the server FQDN. More information can be found in this Technical Tip FortiToken mobile push notification 
  3. Upgrade to the latest FortiToken Mobile version available on the app stores.
  4. Reassign the FortiToken the affected user has (FTKMOB....).

 

More technical information on 1. in this article about Best practices on hardening FortiAuthenticator 

More information about troubleshooting FortiToken Mobile push messages is explained in our Technical Tip FortiToken Push on FortiAuthenticator: operation flow and details 

More information about why ignoring certificate warnings is a bad idea is in this Technical Tip TLS and the use of Digital Certificates

4808
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.