FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FortiKoala
Staff
Staff
Article Id 196605

Description


This article describes that while using third-party certificates signed by intermediate CA/ root CA, sometimes FortiOS will not send the complete certificate chain to the client. This occurs due to an incorrect configuration and gives a certificate error message on the client browser.

This article helps to avoid such error messages.


Scope


This article is applicable for the following authentication types:

          1. Admin WebUI login to FortiGate
          2. SSL VPN authentication to FortiGate
          3. Captive Portal authentication over HTTPS to FortiGate

This article is applicable for the following certificate types:

           1. Locally signed certificates
           2. Certificates signed by well-known CAs.


Solution

While authenticating against captive portal of a FortiGate, a certificate error message is sometimes displayed. The certificate error can be caused due to several Alert messages as described in the TLS/SSL RFCs. Viewing the developer tools available in the web browser, helps narrow down the exact root cause for the certificate error message.

 


In this case, the certificate error message was caused due to an invalid/no chain of certificate verifying the authenticity of the server certificate provided in the SSL/TLS handshake.

The certificate chain is missing as shown in the certification path tab:

 

 
Using Wireshark, the same can be verified by capturing the SSL/TLS handshake between the browser and the server



Select Export Packet Bytes and save the file as certificate.cer and open the certificate.cer which looks like below.

 

 

Go to the FortiGate GUI and upload the public key/certificate of Root CA and Intermediate CA in the CA Certificate section in pem/cer format.

 

 

Make sure that you have the Root CA and Intermediate CA under the External CA certificates

 

 
 
In new versions, the location is under 'Remote CA Certificate':

ScreenHunter 1424.png

 

Restart the authd process




 

On the browser, ensure that the Root CA is present/installed/trusted. Intermediate CA doesn't need to be installed on the browser because the intermediate CA will be sent in the SSL/TLS handshake by the FortiGate.

 

Re-open the browser and access any web page. This redirects to the captive portal login page on the FortiGate.

 

 

The certificate chain is present this time and no error is seen on the browser.

 

Verify using Wireshark to capture the SSL/TLS Handshake.

 

 

Another option is to use OpenSSL to validate the certificate chain:

# openssl s_client -verify 5 -connect 192.168.170.33:10443 </dev/null
verify depth is 5
CONNECTED(00000003)
depth=2 C = MX, ST = CDMX, L = Mexico, O = Fortinet, OU = TAC, CN = CA_XCA-root, emailAddress = oxxx@fortinet.com
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 C = MX, ST = CDMX, L = Mexico, O = Fortinet, OU = TAC, CN = CA_XCA-root, emailAddress = oxxx@fortinet.com
verify return:1
depth=1 C = MX, ST = CDMX, L = MEXICO, O = TAC XCA, OU = SOPORTE, CN = CA_XCA_2025, emailAddress = oxxx@fortinet.com
verify return:1
depth=0 C = MX, ST = MEXICO, L = DCMX, O = MEXICOTAC, OU = TACMEX, CN = *vpn2.tacmexico.mx, emailAddress = oxxx@fortinet.com
verify return:1
---
Certificate chain
0  s:/C=MX/ST=MEXICO/L=DCMX/O=MEXICOTAC/OU=TACMEX/CN=*vpn2.tacmexico.mx/emailAddress=oxxx@fortinet.com
   i:/C=MX/ST=CDMX/L=MEXICO/O=TAC XCA/OU=SOPORTE/CN=CA_XCA_2025/emailAddress=oxxx@fortinet.com
1  s:/C=MX/ST=CDMX/L=MEXICO/O=TAC XCA/OU=SOPORTE/CN=CA_XCA_2025/emailAddress=oxxx@fortinet.com
   i:/C=MX/ST=CDMX/L=Mexico/O=Fortinet/OU=TAC/CN=CA_XCA-root/emailAddress=oxxx@fortinet.com
2  s:/C=MX/ST=CDMX/L=Mexico/O=Fortinet/OU=TAC/CN=CA_XCA-root/emailAddress=oxxx@fortinet.com
   i:/C=MX/ST=CDMX/L=Mexico/O=Fortinet/OU=TAC/CN=CA_XCA-root/emailAddress=oxxx@fortinet.com

oints to Note

  1. Public key of the Root and Intermediate CA needs to be uploaded to FortiGate, as Remote CA certs.
  2. The following two CLI commands are in place.

       

  1. Instead of IP, FQDN should be used and the FQDN should exist on CN or SAN.

 

See also: Preventing certificate warnings - FortiGate CookBook

 

Related articles:

Technical Tip: Certificate warning when connecting to SSLVPN from Linux devices

Technical Tip: SSL inspection on multiple FortiGates using the same certificate (OpenSSL method)

Technical Tip: SSL/TLS and the use of Digital Certificates