Description | This article describes the reason for an 'EMS certificate not trusted' error when integrating FortiClient EMS with FortiGate, even after importing the intermediate CA. |
Scope | FortiGate. |
Solution |
When users choose to use their own certificates, the FortiGate appliance needs to trust the full certificate chain in order to authorize the EMS server. The most common cause is that the intermediate CA certificate has not been correctly installed. The problem and solution are explained in Troubleshooting Tip: EMS certificate not trusted with customized certificate.
There are cases where issues persist even after importing the intermediate CA correctly. In these cases, the CA signs the intermediate certificate is in question.
The certificate chain provided by EMS server can be confirmed with a host PC using the OpenSSL tool.
Example:
openssl s_client -connect <ems-server>:443 -showcerts
As in the output above, depth=0 shows the server certificate, and depth=1 shows the intermediate certificate that has been imported to FortiGate. The 'USERTrust RSA Certification Authority' certificate at depth=2 is signed by 'AAA Certificate Services' .
However, FortiGate CMDB stores another version of the CA, where 'USERTrust RSA Certification Authority' is a self-signed certificate:
get vpn certificate ca details | grep 'USERTrust RSA Certification Authority' -A4 19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
Note: It is a good practice to use the OpenSSL tool, since Windows certificate information might not show the entire chain. The Screenshot below illustrates that AAA Certificate Services is not visible in the chain.
Conclusion:
Some CAs have different versions. In such cases, even if the expected version is installed on FortiGate, it is likely that the certificate chain verification will fail due to picking the wrong CA. Therefore, for the verification to succeed, it is necessary to have the same CA version as the FortiGate's root certificate store.
The crt.sh search tool lists all issued certificates, helping with the identification of different versions of the same CA. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.