Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aahmadbasri
Staff
Staff

Created on ‎09-26-2022 01:09 AM Edited on ‎10-11-2024 10:37 AM By Moderator

Article Id 224780

Technical Tip: GUI Untrusted HTTPS server certificate

Description This article discusses the 'untrusted HTTPS server certificate' warning on Administrator widget.
Scope FortiGate v7.2.1 and later.
Solution

In v7.2.1, a new default certificate 'Fortinet_GUI_Server' is introduced for HTTPS administrative access. 

 

If a self-signed certificate is used, the error 'Untrusted HTTPS server certificate' will be shown on the dashboard.

 

before.PNG

It is best practice to use a signed and trusted HTTPS server certificate, but it is also possible to remove this warning by using the 'Fortinet_GUI_Server' certificate.

To do so, see below:

 

  1. Go to System -> Settings -> HTTPS Server Certificate, select 'Fortinet_GUI_Server', and select 'Apply'. 

    sysem settings.PNG

    If it is not required for this PC to trust the new Fortinet_GUI_Server certificate, skip to Step 6. To resolve browser-based certificate warnings, continue to the remaining steps.

 

  1. Ensure that the certificate option is enabled under System -> Feature Visibility -> Certificates.

     

                                            Feat Vis.PNG

     

  2. Download the certificate from System -> Settings -> HTTPS Server CertificateIn this step, select 'Download HTTPS CA certificate'. 'Fortinet_CA_SSL' will be downloaded:

    download https ca certificate.PNG

    An alternative path to download the same CA certificate is System -> Certificates -> Fortinet_CA_SSL -> Download.
    Cert Download page.PNG

  3. Install the certificate in the PC's trusted root CA certificate store:

    Since installing certificates can affect which certificates the browser will show as trusted, opening the file will show a warning.

    Certificate warning.PNG

    Select Store Location -> 'Local Machine'.
    computer.PNG
    Place the certificate in 'Trusted Root Certification Authorities'.
    Local Machine.PNG

  4. Clear the browser cache and log in to the GUI in a new browser window to verify the HTTPS server certificate is now trusted by the PC.

    trusted.png

  5. 'Untrusted HTTPS server certificate' has been replaced with a link to download the current HTTPS CA certificate.

    after.PNG


Repeat steps 2 to 5 as needed for any other PC's that are required to trust the FortiGate's CA certificate.

Note: To assign an HTTPS server certificate for older versions, use the following commands:

config system global

    set admin-server-cert <new_cert>
end


By default, 'Fortinet_CA_SSL' is used to sign 'Fortinet_GUI_Server' and firewall block pages. It is also the default CA used if deep inspection is configured. Installing the certificate on a PC will also remove certificate warnings for those functions. See the articles 'Certificate error when accessing blocked page' and  'Deep Inspection' for more detail.

 

Related documents:
13529
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.