| Description | This article explains how to generate a server certificate from FortiGate; the same certificate can be used for SSL VPN client or to secure web mode access. |
| Scope | FortiGate. |
| Solution |
To remove a non-secure warning from SSL VPN web mode in the browser, the FortiGate CA certificate can be used. The FortiGate default CA certificate Fortinet_CA_SSL, can be used to sign this server certificate.
Here is the process of generating a server certificate for SSL VPN: Go to VPN ->SSL VPN Settings and select 'Create Certificate' under the 'Server Certificate' section.
Select 'Generate Certificate':
Give this certificate a Name and enter the Public IP or FQDN of the Firewall in the Common Name field. If the VPN interface is selected, it would automatically choose it's IP address.
Add the IP address in the Subject alternative name; here, multiple SAN entries can be added.
Select the create option. After the above steps, the server certificate has been created. This Certificate can be called under the SSL VPN server certificate dropdown.
The generated certificate has the name GUI in this case. After selecting this GUI certificate, the CA certificate Fortinet_CA_SSL needs to be installed in user systems.
Once the above process is completed, users will not get a certificate acceptance (pop-up) with the SSL client, and the non-secure page alert will disappear from the web mode URL.
Status with default server certificate in SSL settings:
Status after changing the server certificate to the GUI certificate (which was generated above):
In the FortiClient application, users will not be asked to accept the certificate through a pop-up message.
Related article: Technical Tip: FortiGate HTTPS/SSL Certificate Installation (PFX, PKCS12, PEM and CER) |
