Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Dongfang_Li_FTNT
Staff
Staff

Created on ‎07-06-2022 02:48 PM Edited on ‎10-13-2024 09:48 PM By Community Manager

Article Id 216971

Technical Tip: Certificate Error in Admin Access

Description

This article describes how to resolve an issue where, when a user connects to FortiGate GUI using the FortiGate IP address, the web page displays the certificate error: ERR_CERT_COMMON_NAME_INVALID.
Scope FortiGate.
Solution

The following certificate error is seen.

 

Dongfang_Li_FTNT_0-1657142449240.png

 

The Common Name represents a server name protected by the SSL certificate.  The certificate is valid only if the requested hostname matches the certificate's common name.

 

Check the Certificate, it is issued to *****.com:

 

Dongfang_Li_FTNT_1-1657142449246.png

 

 

The user connects to the IP address https://x.x.x.x. The certificate's common name is *****.com, which does not match. The certificate should be issued to the IP address x.x.x.x, or the user should connect to the URL *****.com.


If Certificates are not visible in GUI, enable them from System -> Feature Visibility -> Additional Features -> Certificates.


To create a custom certificate issued to the FortiGate IP address, create a new CSR in FortiGate, in Subject Information, ID Type, enable 'Host IP', and put IP x.x.x.x. In the GUI this can be done from System -> Certificates -> Create/Import -> Generate CSR:


CSR_modif.png

 

Complete the CSR, download it, have it signed by an internal Certificate Authority, and import it back to FortiGate. Publicly-trusted Certificate Authorities such as Symantec, Comodo, GoDaddy, and Let'sEncrypt will not sign a certificate issued to an IP address.  

 

Once the certificate is imported back to FortiGate, assign it to the admin access:

 

config system global

set admin-server-cert <certificate_name>

end

 

Alternative Method: Fortinet_GUI_Server certificate:
In the newer v7.2.1 onwards, the default Fortinet_GUI_Server certificate contains the IP addresses of the interfaces on which HTTPS is enabled. The certificate is signed by the FortiGate's own local Certificate Authority Fortinet_CA_SSL. See 'GUI Untrusted HTTPS server certificate' or the steps below.

 

Configure the Fortinet_GUI_Server certificate under System -> Setting -> Administration Settings -> HTTPS server certificate.

 

Screenshot 2024-08-22 155836.png

 

After, install the Fortinet CA SSL on the PC as a Trusted Root Certificate. The error will be removed. The Fortinet CA SSL certificate can be downloaded from System -> Certificate->Fortinet_CA_SSL


ca.png


Related articles:

Technical Tip: How to assign a SSL certificate for remote administration of FortiGate

Generating a CSR on a FortiGate

Adding SAN Subject Alternative Name while generating CSR 

A guide to FortiGate and certificate issues 

 

7963
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.