FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mle2802
Staff
Staff
Article Id 240087
Description This article describes how to solve the error 'EMS certificate not trusted' when integrating FortiClient EMS with FortiGate.
Scope FortiGate.
Solution

By default, the EMS server will generate its default CA certificate which needs to be manually imported to the FortiGate.

 

Refer to this document for more detail: FortiClient EMS

In case customers want to use personal certificates, FortiGate must trust the certificate chain to authorize the EMS server. If the root CA certificate has been imported but the error still occurs, this would mainly be because the intermediate CA certificate is not properly imported which can be solved by following these steps:

 

  1. From the EMS GUI page, download the intermediate CA certificate. In this case, it is R3. Choose the right certificate and select export.

 

mle2802_0-1671629734668.png

 

  1. When downloaded, upload this to FortiGate as CA Certificate.

 

mle2802_1-1671629734685.png
  1. After this, re-create the EMS connector again and the server will be authorized.
  2. If the 'EMS server certificate is not signed by any known CA' error still appears, check all CA certificates were correctly added to the FortiGate (wildcard, R3 and ISRG). They should appear in the area of the certificate under Remote CA Certificate.

In the configuration side :

 

set status enable
set name "test"
set dirty-reason none
set fortinetone-cloud-authentication disable
set server "server-name.com"
set https-port 443     <----- port should be responsive

 

Try to ping the server and the IP resolved to:

 

exe ping server-name.com

 

If the freely available Let's Encrypt certificates are used on the EMS (Adding an SSL certificate to FortiClient EMS), updated root CA and intermediary CA  are available for download In multiple formats from Chains of Trust - Let's Encrypt (letsencrypt.org)

 

The following commands can be helpful with troubleshooting the Fabric connection between FortiGate and EMS.

  • Test FortiGate to FortiClient EMS connectivity: diagnose endpoint fctems test-connectivity <EMS>
  • Verify FortiClient EMS’s certificate: execute fctems verify <EMS>
  • Show EMS connectivity information: diagnose test application fcnacd 2