Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
johnathan
Staff
Staff

Created on ‎09-30-2024 10:23 PM Edited on ‎11-10-2025 11:23 AM By Moderator

Article Id 345332

Technical Tip: How to verify and resolve issues when FortiGate does not send the full certificate chain for web GUI or SSL VPN

Description This article provides guidance on verifying and resolving issues where the FortiGate fails to present the full certificate chain for firewall-hosted services (like SSL VPN or the GUI) by using OpenSSL or online SSL checking tools.
Scope FortiGate
Solution

For compliance or security policy requirements, it may be necessary for the FortiGate to present the full certificate chain when accessing a service hosted on the firewall (such as the Web GUI or SSL VPN).

It is possible to use the OpenSSL utility tools for this.
Compiled binaries for openssl on Windows are available on the Open SSL binary distribution page.

Use the following command to check the certificate chain:


openssl s_client -showcerts -connect <IP_Address>:<Port>

 

If the FortiGate is only presenting a single certificate instead of the full chain, the output will show only the server certificate with depth=0.

Non-working Log:


openssl s_client -connect vpn.******.com:55555 -showcerts
Connecting to 209.96.X.X
CONNECTED(000001F0)
depth=0 CN=vpn.******.com
verify error:num=20:unable to get local issuer certificate >> depth 0 indicates that the server is not providing the intermediate/Root certificate.
verify return:1
depth=0 CN=vpn.******.com
verify error:num=21:unable to verify the first certificate >> depth 0 indicates that the server is not providing the intermediate/Root certificate.
verify return:1
depth=0 CN=vpn.******.com
verify return:1

For the FortiGate to send the complete certificate chain, the intermediate certificate must be uploaded to the appliance as a CA Certificate. If the root CA certificate is not already present in the certificate store, it should also be uploaded.
Because the SSL VPN daemon does not automatically reload CA certificates after they are added, it is necessary to restart the sslvpnd process using the following command:

 

fnsysctl killall sslvpnd

Working Log:


openssl s_client -connect vpn.******.com:55555 -showcerts
Connecting to 209.96.X.X
CONNECTED(000001F0)
depth=2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
verify return:1
depth=1 C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C=CA, ST=BC, L=YVR, O=FTNT, CN=vpn.******.com
verify return:1

After restarting the daemon, the certificate chain is presented correctly and the certificate error is no longer observed.

Note: Restart the daemon during non-business hours or when no users are connected to VPN.
974
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.