Troubleshooting Tip: EMS certificate not trusted with customized certificate

By default, the EMS server will generate its default CA certificate which needs to be manually imported to the FortiGate.

Refer to this document for more detail: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/185333/forticlient-ems

In case customers want to use personal certificates, FortiGate must trust the certificate chain to authorize the EMS server. If the root CA certificate has been imported but the error still occurs, this would mainly be because the intermediate CA certificate is not properly imported which can be solved by following these steps:

1. From the EMS GUI page, download the intermediate CA certificate. In this case, it is R3. Choose the right certificate and select export.

2. When downloaded, upload this to FortiGate as CA Certificate.

3. After this, re-create the EMS connector again and the server will be authorized.
4. If the 'EMS server certificate is not signed by any known CA' error still appears, check all CA certificates were correctly added to the FortiGate (wildcard, R3 and ISRG). They should appear in the area of the certificate under Remote CA Certificate.
   
   In the configuration side :

set status enable
set name "test"
set dirty-reason none
set fortinetone-cloud-authentication disable
set server "server-name.com"
set https-port 443     <----- port should be responsive

Try to ping the server and the IP resolved to:

exe ping server-name.com