Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akushwaha
Staff
Staff

Created on ‎12-29-2025 04:23 AM Edited on ‎12-29-2025 10:28 PM By Staff

Article Id 424454

Troubleshooting Tip: Unable to connect FortiClient EMS due to Server Certificate

Description

This article describes an issue where FortiGate is not able to connect with on-prem FortiClient EMS server and receives the following error message:

 

Failed to verify the certificate for server "EMS 1 - EMS". The server
certificate cannot be authenticated with installed CA certificates. Please
install its CA certificates on this FortiGate.
Scope FortiGate.
Solution Error message in the GUI:

image (8).jpg

 

On CLI:

 

FGT-1 # diagnose endpoint fctems test-connectivity 1
Connection test had an error -4: EMS server certificate is not signed by any known CA.

FGT-1 # execute fctems verify 1
Error in requesting EMS fabric connection: -4
issue in getting capabilities. EMS server certificate is not signed by any known CA.
Error (-1@_get_capabilities:461).

Command fail. Return code -9999​

 

Diagnostics:

Enable debugging in the firewall:


diagnose debug application fcnacd -1

diagnose debug enable

 

To disable it:

 

diagnose debug reset

 

Debug Output:

obj-id: 0, desc: "REST API to get EMS Serial Number.", entry: "api/v1/system/serial_number".
error info: Error (-1@__generic_process_result_ex:158). EMS server certificate is not signed by any known CA.

 

This error occurs when the FortiClient EMS certificate fails validation against a remote Certificate Authority (CA). The initial troubleshooting step is to verify that all certificates in the trust chain, including intermediate and root certificates, are correctly installed on the FortiGate.

 

If custom certificates are used, the FortiGate must trust the entire certificate chain to authorize the FortiClient EMS server. If the root CA certificate has already been imported and the error persists, the most likely cause is that the intermediate CA certificate has not been correctly imported.

 

Verify the Server Certificate configured on FortiClient EMS to connect with FortiGate.

 

On FortiClient EMS:

Go to the System Settings -> EMS Settings -> Webserver certificate :

image (9).jpg

 

Here, the custom Certificate is configured as a Webserver Certificate.Check the CA of the server Certificate. It can be validated as shown below:

Screenshot 2025-12-24 141129.png

 

Here, the Server Certificate is signed by EMS-CA. Make sure to install the CA certificate on FortiGate.

On FortiGate:

Go to System -> Certificates -> Create/Import -> CA Certificate and import the CA certificate:

 

Screenshot 2025-12-24 141421.png

 

Afterwards, FortiGate will be connected to the FortiClient EMS server.

FGT-1 # execute fctems verify 1
EMS already verified.

FGT-1 # diagnose endpoint fctems test-connectivity 1
Connection test was successful.
298
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.