When users choose to use their own certificates, the FortiGate appliance needs to trust the full certificate chain in order to authorize the EMS server. The most common cause is that the intermediate CA certificate has not been correctly installed. The problem and solution are explained in Troubleshooting Tip: EMS certificate not trusted with customized certificate.

There are cases where issues persist even after importing the intermediate CA correctly. In these cases, the CA signs the intermediate certificate is in question.

The certificate chain provided by EMS server can be confirmed with a host PC using the OpenSSL tool.

Example:

openssl s_client -connect <ems-server>:443 -showcerts

depth=3 C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
verify return:1
depth=2 C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
verify return:1
depth=1 C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA
verify return:1
depth=0 C=FR, ST=France, O=Example, CN=*.example.fr
verify return:1

As in the output above, depth=0 shows the server certificate, and depth=1 shows the intermediate certificate that has been imported to FortiGate.

The 'USERTrust RSA Certification Authority' certificate at depth=2 is signed by 'AAA Certificate Services' .

However, FortiGate CMDB stores another version of the CA, where 'USERTrust RSA Certification Authority' is a self-signed certificate:

get vpn certificate ca details | grep 'USERTrust RSA Certification Authority' -A4
Subject: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
Valid from: 2010-02-01 00:00:00 GMT
Valid to: 2038-01-18 23:59:59 GMT
Fingerprint: E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:

19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
Serial Num: 01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d

Note:

It is a good practice to use the OpenSSL tool, since Windows certificate information might not show the entire chain. The Screenshot below illustrates that AAA Certificate Services is not visible in the chain.

Conclusion:

Some CAs have different versions. In such cases, even if the expected version is installed on FortiGate, it is likely that the certificate chain verification will fail due to picking the wrong CA.

Therefore, for the verification to succeed, it is necessary to have the same CA version as the FortiGate's root certificate store.

The crt.sh search tool lists all issued certificates, helping with the identification of different versions of the same CA.