2. In this case the
certificate error message was caused due to an invalid/no chain of certificate
verifying the authenticity of the server certificate provided in the SSL/TLS
4. Click on Export Packet Bytes and save the file as certificate.cer and open the certificate.cer which looks like below.
5. Now go to the FortiGate GUI and upload the public key/certificate of Root CA and Intermediate CA in the CA Certificate section in pem/cer format.
6. Make sure that you have the Root CA and Intermediate CA under the External CA certificates
7. Restart the authd process
8. On the browser, ensure that the Root CA is present/installed/trusted. Intermediate CA doesn't need to be installed on the browser because the intermediate CA will be sent in the SSL/TLS handshake by the FortiGate.
9. Re-open the browser and access any web page. This redirects to the captive portal login page on the FortiGate.
10. The certificate chain is present this time and no error is seen on the browser.
10. Verify using Wireshark to capture the SSL/TLS Handshake.
11. Points to Note
a. Public key of the Root and Intermediate CA needs to be uploaded to FortiGate, as Remote CA certs.
b. The following two CLI commands are in place.
See also : Preventing certificate warnings CookBook
Technical Note: Certificate warning when connecting to SSLVPN from Linux devices
Technical Note: SSL inspection on multiple FortiGates using the same certificate (OpenSSL method)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.