Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dwickramasinghe1
Staff
Staff

Created on ‎11-12-2024 10:15 PM Edited on ‎04-21-2025 07:55 AM By Community Manager

Article Id 356946

Troubleshooting Tip: SSL VPN certificate issues from FortiClient Microsoft Store App

Description This article describes how to troubleshoot SSL VPN certificate issues from the FortiClient Microsoft Store App.
Scope FortiClient Microsoft App, FortiGate.
Solution

The FortiClient Microsoft Store App is commonly used with laptops that have ARM-based processors. Currently, the standalone and EMS version of FortiClient does not support ARM-based processors so the FortiClient Microsoft Store App is used as an alternative.


The SSL VPN tunnel mode is no longer supported starting from v7.6.3: 
SSL VPN tunnel mode no longer supported

 

From March 20, 2025, FortiClient for ARM architecture (FortiClientVPNSetup_7.4.3.1790_ARM64.exe) has been published on the Fortinet Support Portal.

When attempting to connect to SSL VPN with the FortiClient App, the endpoint needs to fully trust the SSL VPN certificate otherwise the following will happen:

"SSLVPN Error: Code=-30001010(v1.0.1041)
HTTPS failed(NullResponse)

HTTPS Exception: HResult=0x80072F0D
The certificate authority is invalid or incorrect"

 

 

CAUnknown.PNG


To resolve this, ensure that the SSL VPN CA certificate is installed on the endpoint certificate store.

 

  1. Check the SSLVPN certificate configured under VPN -> SSL-VPN settings.


SSLVPNCertLocation.PNG

 

  1. Check the Certificate Authority(issuer) from the configured SSLVPN certificate under System -> Certificates  -> Locate the configured SSL VPN certificate and check the issuer information field.

 

issuerlocation.PNG

 

  1. Download the correct CA certificate and upload the file onto the endpoint certificate store:


issuerlocatoin.PNG

 

Another SSL VPN error regarding certificates includes the common name mismatch. The SSL VPN URL will need to match the common name value or the subject alternate name value within the SSLVPN certificate. If these two values do not match, then the following error will occur:

SSLVPN error: code= -30001010(v1.0.1041)
HTTPS failed.(NullResponse)

HTTPS Exception: HResult=0x80072F06

The host name in the certificate is invalid or does not match

 

CNMismatch.PNG

 

Note:

This error is unrelated to the certificate authority error from above. It is possible that the endpoint trusts the CA but does not trust the connection due to this mismatch

 

This error occurs because the SSL VPN URL does not match the CN/SAN value on the SSL VPN certificate:

CertificateCompare.PNG


To resolve this, it is recommended to change the SSL VPN URL to match the common name of the SSL VPN certificate.

certificatecomparegood.PNG

 

connected.PNG

 

As an alternative, it is also possible to utilize the 'subject alternative names' (SAN) within the certificate.

SANMatch.PNG

 

To ignore certificate warnings from the FortiClient Microsoft App, add '?ice=1' at the end of the SSL VPN URL. (using 'ice=1' tells Windows to ignore server certificate errors).

 

ignorecert.PNG

 

Note:

There is no technical support offered for this application, nor integrated with FortiClient EMS.
8500
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.