FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JNDias
Staff
Staff
Article Id 241174
Description

This article describes the situations when FortiGate for EMS says: 'Server certificate and configured certificate are mismatched'.

Scope FortiGate connected.
Solution

Verify an existing / renewed EMS Server Certificate. Some errors can occur:

 

JNDias_3-1672154512977.png

 

JNDias_4-1672154549064.png

 

Solution 1:

From the CLI, run the following command:

 

execute fctems verify 1

 

The FortiGate will display the Certificate chain. At the end of the process, the system will prompt to confirm if the certificate should be added to the list of trusted remote certificates. Press to continue.

 

Now the FortiClient EMS should be connected.

 

Solution 2:

  1. From the browser connected to EMS, export the certificate (actually exporting the public certificate).
  2. Import as a remote certificate on the FortiGate as a Remote Certificate.
  3. Change the trusted certificate in the config by CLI.

Note: If the FortiClient Endpoint Management Server (EMS) is the VM-version, contact the EMS Technical Support team for the server certificate. Follow step 2 to import the remote certificate on FortiGate. 

 

Steps to follow:

 

  1. From the browser connected to EMS, export the certificate (actually exporting the Public certificate).

 

JNDias_0-1672153820438.png

 

JNDias_1-1672153909107.png

JNDias_1-1672153909107.png

 

JNDias_2-1672153992530.png

 

Save as: 'Base64-encoded ASCII, single certificate (*.pem;*.crt)'.

 

  1. Import the remote certificate on FortiGate as a Remote: System -> Certificates -> Import -> Remote Certificate.
 
JNDias_1-1672156160462.png

 

  1. CertificateChange the trusted cert in the config by CLI:

 

config endpoint-control fctems

    edit <ems_name>

        set certificate <New Imported Remote Certificate>

    next

end

 

If the issue persists, disable then re-enable the FortiClient EMS Fabric Connector.

If FortiGate devices are enabled on a Security Fabric, refer to this article: Technical Tip: EMS certificate verification fails on downstream FortiGate in Security Fabric

 

Related documents: