FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aahmadbasri
Staff
Staff
Article Id 224780
Description This article discusses the 'untrusted HTTPS server certificate' warning on the Administrator widget.
Scope FortiGate v7.2.1 and later.
Solution

In v7.2.1, a new default certificate 'Fortinet_GUI_Server' is introduced for HTTPS administrative access. 

 

If a self-signed certificate is used, the error 'Untrusted HTTPS server certificate' will be shown on the dashboard.

 

before.PNG

 

It is best practice to use a signed and trusted HTTPS server certificate (refer to this article: Technical Tip: FortiGate HTTPS/SSL Certificate Installation (PFX, PKCS12, PEM and CER), but it is also possible to remove this warning by using the 'Fortinet_GUI_Server' certificate.

To do so, see below:

 

  1. Go to System -> Settings -> HTTPS Server Certificate, select 'Fortinet_GUI_Server', and select 'Apply'. 

    sysem settings.PNG
    If it is not required for this PC to trust the new Fortinet_GUI_Server certificate, skip to Step 6. To resolve browser-based certificate warnings, continue to the remaining steps.

 

  1. Ensure that the certificate option is enabled under System -> Feature Visibility -> Certificates.

     

                                            Feat Vis.PNG

  2. Download the certificate from System -> Settings -> HTTPS Server CertificateIn this step, select 'Download HTTPS CA certificate'. 'Fortinet_CA_SSL' will be downloaded:

    download https ca certificate.PNG
    An alternative path to download the same CA certificate is System -> Certificates -> Fortinet_CA_SSL -> Download.
                                                           
    Cert Download page.PNG

  3. Install the certificate in the PC's trusted root CA certificate store:

    Since installing certificates can affect which certificates the browser will show as trusted, opening the file will show a warning.


    Certificate warning.PNG
    Select Store Location -> 'Local Machine'.
                     
    computer.PNG
    Place the certificate in 'Trusted Root Certification Authorities'.
                            
    Local Machine.PNG

     

  4. Clear the browser cache and log in to the GUI in a new browser window to verify that the HTTPS server certificate is now trusted by the PC.

    trusted.png

  5. 'Untrusted HTTPS server certificate' has been replaced with a link to download the current HTTPS CA certificate.


after.PNG


Repeat steps 2 to 5 as needed for any other PC's that are required to trust the FortiGate's CA certificate.

Note:

To assign an HTTPS server certificate for older versions, use the following commands:

config system global

    set admin-server-cert <new_cert>
end


By default, 'Fortinet_CA_SSL' is used to sign 'Fortinet_GUI_Server' and firewall block pages. It is also the default CA used if the deep inspection is configured. Installing the certificate on a PC will also remove certificate warnings for those functions. See the documents 'Technical Tip: Certificate error when accessing blocked page' and 'Deep Inspection' for more details.

 

Additional Note :
In some instances, despite the Fortinet_GUI_Server certificate being imported to the administrator's Windows Trusted Root CA store, the FortiGate login page may still show up as 'Not secure'. From Fortinet_GUI_Server certificate being the default HTTPS GUI certificate, try to change it to a different certificate (for example, Fortinet_Factory), then revert it to the original (Fortinet_GUI_Server). More information in this article: Technical Tip: Getting 'Not Secure' warning despite importing Fortinet_GUI_Server certificate for GU....

 

config system global
    set admin-server-cert Fortinet_Factory
end

config system global
    set admin-server-cert Fortinet_GUI_Server
end

 

Related documents:

A guide to FortiGate and certificate issues 

New default certificate for HTTPS administrative access 7.2.1

Acme certificate support

Certificate-Error-in-Admin-Access