Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
iyotov
Staff
Staff

Created on ‎12-28-2018 02:03 AM Edited on ‎07-28-2025 04:00 AM By Community Manager

Article Id 194161

Technical Tip: Certificate errors in Google Chrome for FortiManager and FortiAnalyzer SSL certificates

Description

 

This article describes the certificate errors in Google Chrome for the SSL certificates of FortiManager and FortiAnalyzer.

A certificate signing request is generated in FortiManager/FortiAnalyzer.
 
Scope
 
FortiManager.

The certificate is signed by a well-known trusted Certification Authority (CA) and correctly imported back to FortiManager/FortiAnalyzer. The new certificate is selected in FortiManager/FortiAnalyzer under System Settings -> Admin Settings -> HTTPS & Web Service Certificate.

Although this certificate is accepted without errors by other browsers, Google Chrome is still returning a privacy warning:
 
Aashiq_Z_0-1661268931979.png

 

Solution:
For Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate. 
The certificate subject alternative name can be a domain name or an IP address.  If the certificate does not have the correct subjectAlternativeName extension, users receive a NET::ERR_CERT_COMMON_NAME_INVALID error, indicating that the connection is not secure.
 
When generating a Certificate Signing Request (CSR) in FortiManager/FortiAnalyzer, make sure to fill in the Subject Alternative Name (SAN) field using the correct syntax. 
The string should normally start with 'DNS:' (i.e., DNS:fmg.example.com), otherwise the SAN attribute will not be included in the request.
If multiple entries are required in the SAN field, they should be separated by comma+space (i.e., DNS:fmg.example.com, IP:10.11.12.13)

For example:
 

2024-10-01 17_10_55-FortiManager-VM64 — Mozilla Firefox.png

 

 
Once the CSR is generated, the user may use the tools provided by the trusted CA or various online apps provided by other CAs to verify if all attributes are in order before sending the request for signing.
 
For example, by using the Check CSR tool on the DigiCert web page at: https://www.digicert.com/ssltools/view-csr/

Or, use this CertLogik tool to see more details: https://certlogik.com/decoder/ 

 

Various local certificate management apps can also be used to verify the CSR content, like OpenSSL or XCA https://www.hohnstaedt.de/xca/

11783
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.