Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tyun
Staff
Staff

Created on ‎01-21-2026 01:31 AM

Article Id 425324

Technical Tip: Resolving FortiManager tunnel issues with third-party certificates on FortiGate

Description This article describes the steps to resolve FortiManager tunnel issues with third-party certificates on FortiGate. It provides a workaround for users who are experiencing certification mismatch issues and do not want to upgrade FortiGate.
Scope FortiGate, FortiManager.
Solution

To resolve the FortiManager tunnel issue with third-party certificates on FortiGate (this issue was reported under FortiGate HA environment on FortOS v7.4.8 and fixed on v7.4.9), follow these steps:

  1. Generate a third-party CA certificate and import it to FortiGate and FortiManager.
  2. Configure FortiGate to use the third-party local certificate.
  3. Configure FortiManager to use the third-party CA certificate.
  4. Verify the FortiManager tunnel session is established successfully.

 

Here are the detailed steps:

  1. Generate a third-party CA certificate using OpenSSL:
  • Create an environment file for the certificate:

 

config file name : ha_cert_ext.cnf
------------------------------------------------------------
keyUsage=critical,digitalSignature
authorityKeyIdentifier=keyid, issuer:always
subjectKeyIdentifier=hash
basicConstraints=critical,CA:FALSE

# Subject Alternative Names (SANs)
subjectAltName = '@alt_names' 

# Remove ' ' value for subjectAltName in real configuration setting.

[alt_names]
DNS.1 = FGT61FTK21001234 # FortiGate #1 serial
DNS.2 = FGT61FTK21001235 # FortiGate #2 serial

------------------------------------------------------------

 

  • Generate a third-party certificate:

 

openssl genrsa -out myCA.key 4096
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 3650 -out myCA.crt

 

  1. Generate a certificate signing request (CSR) for FortiGate:


openssl genrsa -out ha_shared.key 2048
openssl req -new -key ha_shared.key -out ha_shared.csr

 

  1. Sign the CSR with the third-party CA certificate:

 

openssl x509 -req -in ha_shared.csr -CA haCA.crt -CAkey haCA.key -CAcreateserial \
-out ha_shared.crt -days 825 -sha256 -extfile ha_cert_ext.cnf

 

  1. Check SAN value:

 

openssl x509 -in ha_shared.crt -noout -text | grep -A2 "Subject Alternative Name"

 

  1. Import the third-party CA certificate and the signed certificate to FortiGate and FortiManager.

  • FortiGate: System -> Certificates -> Import ha_shared.crt, haCA.crt.
  • FortiManager: System -> Certificates -> Import haCA.crt.

 

FortiManager also implicitly trusts the CA that signs Fortinet_Factory certificates as long as the following default setting is not set to 'enable', FortiManager will only trust whatever is specified in 'set fgfm-ca-cert'.

 

config system global
    set fgfm-cert-exclusive disable (Keep default setting)

end

 

  1. Apply the third-party certificate for establishing the FGFM tunnel session:

  • FortiGate:


config system central-management
    set local-cert ha_shared
end

 

  • FortiManager:


config system global
    set fgfm-ca-cert haCA
end

 

  1. Verify the FortiManager tunnel session is established successfully.
92
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.