Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cravikumar
Staff
Staff

Created on ‎10-08-2024 06:09 AM Edited on ‎10-08-2024 07:57 AM By Moderator

Article Id 344922

Troubleshooting Tip: SAML SSL VPN common name invalid certificate error

Description

This article explains how to resolve common invalid certificate errors encountered during SSL VPN user authentication using SAML.

 

Error: 'NET:ERR_CERT_COMMON_NAME_INVALID'.

 

Picture1.png

 Picture2.jpg
Scope FortiGate.
Solution

When using the SAML authentication for SSL VPN, the redirected URL is an IP address instead of a domain name.

The browser checks the certificate and finds that it was issued to the xxx.xxx.org domain instead of the IP address. This mismatch causes the 'NET:ERR_CERT_COMMON_NAME_INVALID' error.

 

There are 2 ways to resolve it.

 

  1. Replace the IP address with the domain name under SAML config:

 

Picture3.png

 

Picture4.png

 

  1. Add IP address on the certificate under Subject Alternative NAME (SAN field):

 

Picture5.jpg

 

Note: After replacing the IP address with the domain name, update the IdP configuration by replacing the SP-provided URL with the domain name in place of the IP address and ensuring that the URLs are similar on SP and IdP.
Labels:
832
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.