FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hlngan
Staff
Staff
Article Id 342350
Description This article describes the Web filtering block page showing 'err_ssl_server_cert_bad_format' even though the certificate has been imported and replaced on both FortiGate and the Client's PC.
Scope FortiGate.
Solution

For the Block page showing 'err_ssl_server_cert_bad_format', check the HTTPS server page on the FortiGate.

It is also possible to download the certificate and check with 3rd party tools.

 

Here are few examples:

  1. With the FortiGate Self-signed certificate without issue:


Certificate:
Data:
Version: 3 (0x2)
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxx (0x18021b6b2b087d41)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=FGxxxxxxxxxxxxxxxxxxx/emailAddress=support@fortinet.com
Validity
Not Before: Jul 9 07:24:49 2024 GMT
Not After : Jul 8 02:01:24 2034 GMT
Subject: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=xxxx.com/emailAddress=support@fortinet.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:xxxx.com

 

 

  1. Using the CA certificate without issue:

 

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
xxxxxxxxxxxxxxxxxxxxxxxx
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=HK, ST=Hong Kong, L=Hong Kong, O=LCSD, OU=ITO, CN=xxxxxxxxxxxxxxxxxxxxxxxx/emailAddress=networkadmin@xxxxxx
Validity
Not Before: Dec 18 02:56:08 2019 GMT
Not After : Dec 15 02:56:08 2029 GMT
Subject: C=HK, ST=Hong Kong, L=Hong Kong, O=LCSD, OU=ITO, CN=xxxxxxxxxxxxxxxxxxxxxxxx/emailAddress=networkadmin@xxxxxx
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:.....

 

Using a customized certificate having an issue:


Certificate:
Data:
Version: 1 (0x0)
Serial Number:
xxxxxxxxxxxxxxxxxxxxxx
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=HK, ST=HK, L=HK, O=xxxx, OU=xxx, CN=xxxx.com/emailAddress=xxxx@xxxx.com
Validity
Not Before: Mar 13 03:33:23 2017 GMT
Not After : Mar 11 03:33:23 2027 GMT
Subject: C=xx, ST=xx, L=xx, O=xxxx, OU=xxx, CN=xxxx.com/emailAddress=xxxx@xxxx.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
.......

 

The difference between the two certificates is their version difference. Since the browser Chrome does not allow version 1, the error 'err_ssl_server_cert_bad_format' in the block page will be received.

The issue is not with the FortiGate since the certificate error is given by Chrome.

To resolve this, either use the default self-signed certificate or regenerate a new HTTPS server certificate with version 3 for FortiGate.