Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mle2802
Staff
Staff

Created on ‎12-21-2022 06:11 AM Edited on ‎09-26-2024 05:55 AM By Moderator

Article Id 240087

Troubleshooting Tip: EMS certificate not trusted with customized certificate

 

Description This article describes how to solve the error 'EMS certificate not trusted' when integrating FortiClient EMS with FortiGate.
Scope FortiGate.
Solution

By default, the EMS server will generate its default CA certificate which needs to be manually imported to the FortiGate.

 

Refer to this document for more detail: FortiClient EMS.

In case users want to use personal certificates, FortiGate must trust the certificate chain to authorize the EMS server. If the root CA certificate has been imported but the error still occurs, this would mainly be because the intermediate CA certificate is not properly imported which can be solved by following these steps:

 

  1. From the EMS GUI page, download the intermediate CA certificate. In this case, it is R3. Choose the right certificate and select export.

 

mle2802_0-1671629734668.png

 

  1. When downloaded, upload this to FortiGate as CA Certificate.

 

mle2802_1-1671629734685.png

 

Note: In case of using VDOMs, upload the certificate to the global VDOM besides the VDOM that the fabric connector is in.

 

  1. After this, re-create the EMS connector again and the server will be authorized.
  2. If the 'EMS server certificate is not signed by any known CA' error still appears, check all CA certificates were correctly added to the FortiGate (wildcard, R3 and ISRG). They should appear in the area of the certificate under Remote CA Certificate.

 

In the configuration side :

 

set status enable
set name "test"
set dirty-reason none
set fortinetone-cloud-authentication disable
set server "server-name.com"
set https-port 443     <----- Port should be responsive.

 

Try to ping the server and the IP resolved to:

 

exe ping server-name.com

 

If the freely available Let's Encrypt certificates are used on the EMS (Adding an SSL certificate to FortiClient EMS), updated root CA and intermediary CA are available for download in multiple formats from Chains of Trust - Let's Encrypt (letsencrypt.org).

 

The following commands can be helpful with troubleshooting the Fabric connection between FortiGate and EMS.

  • Test FortiGate to FortiClient EMS connectivity: diagnose endpoint fctems test-connectivity <EMS>
  • Verify FortiClient EMS’s certificate: execute fctems verify <EMS>
  • Show EMS connectivity information: diagnose test application fcnacd 2
Labels:
30507
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.