Description

This article provides a solution for the issue where, despite importing the Fortinet_GUI_Server certificate into the Windows Trusted Root CA store, the FortiGate login page still displays a 'Not Secure' connection warning.

Scope

FortiGate.

Solution

There may be cases when the default HTTPS certificate for FortiGate is Fortinet_GUI_Server; however, when accessing FortiGate via HTTPS, the browser displays a self-issued certificate instead.

Even after importing the Fortinet_GUI_Server certificate into the Windows Trusted Root CA store, the 'Not Secure' connection warning persists on the FortiGate login admin page

The browser displays a self-issued certificate during HTTPS access to FortiGate, even though the default certificate is set to 'Fortinet_GUI_Server':

This issue has been resolved in v7.4.4.

Earlier versions had the default certificate set to self_sign in admin GUI access settings which is not a trusted certificate hence was not recommended to be installed on user machines.

In the new GUI server certificate one quick way to identify the trust is to check the SAN database entries under: X509v3 Subject Alternative Name

The moment HTTPS access is enabled on any interface, it can be verified here, and the interface IP address can be seen in SAN entries.

Workaround:
When the admin-server-cert is first set to Fortinet_Factory and later switched back to Fortinet_GUI_Server, accessing the FortiGate again results in the display of the Fortinet_GUI_Server certificate.

config system global
    set admin-server-cert Fortinet_Factory
end

config system global
    set admin-server-cert Fortinet_GUI_Server
end