Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
btan
Staff & Editor
Staff & Editor

Created on ‎07-07-2024 10:14 PM Edited on ‎01-13-2025 04:06 AM By Community Manager

Article Id 324511

Technical Tip: Android FortiClient is showing 'untrusted certificate' warning, when the FortiClient EMS or VPN gateway has a valid certificate

Description This article explains why Android FortiClient is showing an 'untrusted certificate' warning when the FortiClient EMS or VPN gateway has a valid certificate.
Scope

Android FortiClient v7.0.x, v7.2.x:

  • When FortiClient EMS is already showing 'All SSL certificates are secure'.

 

and2.png

 

  • When devices on other platforms (Windows, macOS, iOS) do not show an 'untrusted certificate' warning when joining FortiClient EMS, or when connecting to a VPN gateway, only Android devices are showing an 'untrusted certificate' warning.

 

and1.PNG
Solution
  • Android is very particular about the server being configured properly with the FULL certificate chain and ALL intermediate certificates, more so than other platforms.
  • Android devices do not have ALL intermediate certificates and a FULL certificate chain cannot be formed, hence the 'invalid certificate' message.
  • Android platform itself requires a full certificate chain for a portal/FQDN to be considered as trusted.

 

To verify, use OpenSSL to query FQDN and the port. For example, fortigate.company.com.au:11443:

 

$ openssl s_client -showcerts -connect fortigate.company.com.au:11443
CONNECTED(000001C0)
depth=0 CN = fortigate.company.com.au
verify error:num=20:unable to get local issuer certificate  <---------
verify return:1
depth=0 CN = fortigate.company.com.au
verify error:num=21:unable to verify the first certificate  <---------
verify return:1
depth=0 CN = fortigate.company.com.au
verify return:1

If a FQDN has a valid FULL certificate chain:


$ openssl s_client -showcerts random.contoso.com.au:443
CONNECTED(000001B8)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust TLS RSA CA G1
verify return:1
depth=0 C = AU, ST = Victoria, L = Port Melbourne, O = Random-company, CN = random.contoso.com.au
verify return:1

Other websites commonly known as SSL checkers, can be used to validate the certificate chain. These tools can help ensure that the full certificate chain is being sent and properly configured.

 

Example output when a FQDN does not have a FULL certificate chain:

 

and-ex1.PNG

 

and-ex2.PNG

 

and-ex3.PNG

 

and-ex4.PNG

 

In conclusion:

  • If an FQDN does not have a full certificate chain, this behavior is expected in the Android platform.
  • It is not possible to bypass the warning prompt in telemetry if the FortiClient EMS certificate does not have a FULL certificate chain. Android devices must select 'ALLOW' to join to EMS.
  • To bypass the warning prompt in the VPN, turn off the 'Enable Invalid Server Certificate Warning' in the Remote Access profile for Android devices.


and3.PNG

 

Related articles:

Troubleshooting Tip: FortiClient error:' The security certificate for this site has been revoked. Th...

Technical Tip: FortiGate Resource Lists
Labels:
4110
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.