This article describes how to resolve an issue where, when a user connects to FortiGate GUI using the FortiGate IP address, the web page displays the certificate error: ERR_CERT_COMMON_NAME_INVALID.

The following certificate error is seen.

The Common Name represents a server name protected by the SSL certificate.  The certificate is valid only if the requested hostname matches the certificate's common name.

Check the Certificate, it is issued to *****.com:

The user connects to the IP address https://x.x.x.x. The certificate's common name is *****.com, which does not match. The certificate should be issued to the IP address x.x.x.x, or the user should connect to the URL *****.com.

If Certificates are not visible in GUI, enable them from System -> Feature Visibility -> Additional Features -> Certificates.

To create a custom certificate issued to the FortiGate IP address, create a new CSR in FortiGate, in Subject Information, ID Type, enable 'Host IP', and put IP x.x.x.x. In the GUI this can be done from System -> Certificates -> Create/Import -> Generate CSR:

Complete the CSR, download it, have it signed by an internal Certificate Authority, and import it back to FortiGate. Publicly-trusted Certificate Authorities such as Symantec, Comodo, GoDaddy, and Let'sEncrypt will not sign a certificate issued to an IP address.  

Once the certificate is imported back to FortiGate, assign it to the admin access:

config system global

set admin-server-cert <certificate_name>

end

Alternative Method: Fortinet_GUI_Server certificate:
In the newer v7.2.1 onwards, the default Fortinet_GUI_Server certificate contains the IP addresses of the interfaces on which HTTPS is enabled. The certificate is signed by the FortiGate's own local Certificate Authority Fortinet_CA_SSL. See 'GUI Untrusted HTTPS server certificate' or the steps below.

Configure the Fortinet_GUI_Server certificate under System -> Setting -> Administration Settings -> HTTPS server certificate.

After, install the Fortinet CA SSL on the PC as a Trusted Root Certificate. The error will be removed. The Fortinet CA SSL certificate can be downloaded from System -> Certificate->Fortinet_CA_SSL

Related articles:

• Technical Tip: How to assign a SSL certificate for remote administration of FortiGate
• Generating a CSR on a FortiGate
• Technical Tip: Adding SAN (Subject Alternative Name) while generating CSR (Certificate Signing Reque... 
• Troubleshooting Tip: A guide to FortiGate and certificate issues 
• Technical Tip: GUI Untrusted HTTPS server certificate 
  
  

Related Video: