Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
JNDias
Staff & Editor
Staff & Editor

Created on ‎01-13-2025 03:13 AM Edited on ‎01-13-2025 04:08 AM

Article Id 369416

Troubleshooting Tip: FortiClient error:' The security certificate for this site has been revoked. This site should not be trusted'

Description

 

This article describes an error encountered on FortiClient or certain browsers when attempting to connect to the FortiGate SSL VPN.

Error: 'The security certificate for this site has been revoked. This site should not be trusted'.

 

The security certificate for this site has been revoked. This site should not be trusted.The security certificate for this site has been revoked. This site should not be trusted.

 

Scope

 

FortiClient, SSL VPN.

 

Solution

 

  1. If the certificate uses OCSP or CRL, FortiClient will verify whether the certificate has been revoked. It is possible to do the same text using the following online tool: https://www.certificatetools.com/ocsp-checker
    If the 'Cert Status' is 'revoked', contact the SSL provider for further assistance. At this point, the issue is not related to FortiGate or FortiClient.

  2. Validate if FortiGate is sending the full certificate chain.
    1. If the URL and certificate are public, various tools, commonly known as SSL checkers, can be used to validate the certificate chain. These tools can help ensure that the full certificate chain is being sent and properly configured.

    2. Alternatively with a Linux terminal :
  • Using curl:

$ curl -vI https://<URL>:<port>   

 

Example: $ curl -vI https://mydomain:10443.

 

  • It if fails then it means it was not able to validate the certificate for any reason. For troubleshooting, use the -k flag in curl to bypass validation temporarily.

 

-k, --insecure Allow insecure server connections

 

Valid connection example:


...
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=*.example.com
* start date: Jan 10 00:00:00 2025 GMT
* expire date: Jan 10 23:59:59 2026 GMT
* subjectAltName: host "example.example.com" matched cert's "*.example.com"
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
* SSL certificate verify ok.
...

 

Then using OpenSSL:


$ openssl s_client -showcerts -connect <URL>:<port>   Example: $ curl -vI https://mydomain:10443

 

Full demonstration: Technical Tip: How to determine if the FortiGate is sending the full certificate chain for the Web U...

 

If FortiGate is not sending the full certificate chain then most probably the intermediate CA needs to be imported to the FortiGate's certificate store. Refer to Administration Guide - CA certificate

 

Related articles:

Technical Tip: SSL/TLS and the use of Digital Certificates

Technical Tip: Android FortiClient is showing 'untrusted certificate' warning, when the FortiClient ...

Technical Tip: FortiGate Resource Lists

2509
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.