Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kaman
Staff
Staff

Created on ‎12-06-2024 01:32 AM Edited on ‎09-09-2025 10:49 PM By Moderator

Article Id 362889

Technical Tip: Getting 'Not Secure' warning despite importing Fortinet_GUI_Server certificate for GUI Admin Access

Description

 

This article describes a solution for the issue where, despite importing the Fortinet_GUI_Server certificate into the Windows Trusted Root CA store, the FortiGate login page still displays a 'Not Secure' connection warning.

 

Scope

 

FortiGate.

 

Solution

 

There may be cases when the default HTTPS certificate for FortiGate is Fortinet_GUI_Server; however, when accessing FortiGate via HTTPS, the browser displays a self-issued certificate instead.

 

Even after importing the Fortinet_GUI_Server certificate into the Windows Trusted Root CA store, the 'Not Secure' connection warning persists on the FortiGate login admin page

The browser displays a self-issued certificate during HTTPS access to FortiGate, even though the default certificate is set to 'Fortinet_GUI_Server':


snap-1.png
This issue has been resolved in v7.4.4.

Earlier versions had the default certificate set to 'self_sign' in admin GUI access settings, which is not a trusted certificate, hence was not recommended to be installed on user machines.

 

In the new GUI server certificate, one quick way to identify the trust is to check the SAN database entries under: X509v3 Subject Alternative Name.

 

Screenshot 2025-03-05 152324.png

 

The moment HTTPS access is enabled on any interface, it can be verified here, and the interface IP address can be seen in SAN entries.


Workaround:
When the admin-server-cert is first set to Fortinet_Factory and later switched back to Fortinet_GUI_Server, accessing the FortiGate again results in the display of the Fortinet_GUI_Server certificate.

config system global
    set admin-server-cert Fortinet_Factory
end

config system global
    set admin-server-cert Fortinet_GUI_Server
end

 

The enforcement that SANs must be present for a certificate to be trusted comes from browser policies (for example, Mozilla, Google Chrome) and libraries (for example, OpenSSL).

 

Note:
In some instances, despite the Fortinet_GUI_Server certificate being imported to the administrator's Windows Trusted Root CA store, the FortiGate login page may still show up as 'Not secure'. From Fortinet_GUI_Server certificate being the default HTTPS GUI certificate, try to change it to a different certificate (for example, Fortinet_Factory), then revert it to the original (Fortinet_GUI_Server). More information in this article: Technical Tip: Getting 'Not Secure' warning despite importing Fortinet_GUI_Server certificate for GU....

 

config system global
    set admin-server-cert Fortinet_Factory
end

config system global
    set admin-server-cert Fortinet_GUI_Server
end


Additional Notes:
Starting from FortiOS v7.2.1, the FortiGate now utilizes the Fortinet_GUI_Server certificate for HTTPS administrative access, which is generated and signed by the built-in Fortinet_CA_SSL certificate. More information can be seen on New default certificate for HTTPS administrative access.

893
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.