Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hbac
Staff
Staff

Created on ‎11-24-2025 07:11 AM

Article Id 420022

Troubleshooting Tip: Admin certificate authentication not working (Certificate is not yet valid)

Description This article describes an issue when PKI admin login with certificate authentication is not working. 
Scope FortiGate. 
Solution

In this example, the PKI administrator got redirected back to the login page after selecting the certificate during a login attempt on the Administrative GUI. 

 

Screenshot 2025-11-21 115624.png

 

Screenshot 2025-11-21 115917.png

 

Debug outputs show 'Certificate is not yet valid' message (outputs omitted). 

 

diagnose debug res
diagnose debug app fnbamd -1

diagnose debug en

[103] __cert_chg_st- 'Init'
[201] fnbamd_cert_load_certs_from_req-1 cert(s) in req.
[372] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_2')
[337] fnbamd_chain_build-Following depth 1
[99] __cert_chg_st- 'Init' -> 'Validation'
[1011] __cert_verify-Chain is complete.
[550] fnbamd_cert_verify-Following cert chain depth 0
[555] fnbamd_cert_verify-Certificate is not yet valid
[625] fnbamd_cert_verify-Issuer found: CA_Cert_2 (SSL_DPI opt 1)
[705] fnbamd_cert_check_group_list-checking group with name 'PKI_ADMIN'
[518] __check_add_peer-check 'user2'
[394] peer_subject_cn_check-Cert subject 'C = CA, ST = Ontario, L = Ottawa, O = Fortinet, CN = user2'
[322] __RDN_match-Checking 'CN' val 'user2' -- match.
[352] __cert_subject_RDN_compare-Total matched RDNs in cert: 1
[419] peer_subject_cn_check-Subject is good.
[525] __check_add_peer-'user2' check ret:good
[1264] fnbamd_cert_auth_copy_cert_status-Matched peer user 'user2'
[946] fnbamd_cert_check_matched_groups-matched
[884] fnbamd_cert_check_matched_groups-checking group with name 'PKI_ADMIN'
[239] fnbamd_comm_send_result-Sending result 0 (nid 672) for req 16003124404225, len=2614
[137] fnbamd_peer_ctx_free-Freeing peer ctx 'user2'

 

This issue is due to time discrepancy. In this example, the client certificate is valid from November 20, 2025 3:24:37 PM as shown below: 

 

Screenshot 2025-11-21 123601.png

 

However, FortiGate current date and time was 2025/11/20 09:30:43 (AM) which is before the valid from date of the client certificate. 

 

Screenshot 2025-11-21 123601.png

 

To resolve this issue, there are two options: 

 

  1. Adjust the FortiGate time zone under System -> Settings if the current time zone is incorrect to ensure that the FortiGate's date and time are set after the 'valid from' date and time of the client certificate. 
  2. Wait until the FortiGate's time surpasses the 'valid from' date of the client certificate. 

 

Related article: 

Technical Tip: Configure admin certificate authentication
125
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.