Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
iyotov
Staff
Staff

Created on ‎12-28-2018 02:03 AM Edited on ‎10-01-2024 09:43 PM By Community Manager

Article Id 194161

Technical Tip: Certificate errors in Google Chrome for FortiManager and FortiAnalyzer SSL certificates

Description

 

This article describes about the certificate errors in Google Chrome for the SSL certificates of FortiManager and FortiAnalyzer.

A certificate signing request is generated in FortiManager/FortiAnalyzer.

The certificate is signed by well known trusted Certification Authority (CA) and correctly imported back to FortiManager/FortiAnalyzer.

The new certificate is selected in FortiManager/FortiAnalyzer under System Settings - > Admin Settings - > HTTPS & Web Service Certificate.

Although this certificate is accepted without errors by other browsers, Google Chrome is still returning privacy warning:
 
Aashiq_Z_0-1661268931979.png

 

Solution:
For Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate. 
The certificate subject alternative name can be a domain name or IP address.  If the certificate does not have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the connection is not private.
 
When generating a Certificate Signing Request (CSR) in FortiManager/FortiAnalyzer, make sure to fill in the Subject Alternative Name (SAN) field using the correct syntax. 
The string should normally start with 'DNS:' (i.e., DNS:fmg.example.com), otherwise the SAN attribute will not be included in the request.
If multiple entries are required in the SAN field, they should be separated by comma+space (i.e., DNS:fmg.example.com, IP:10.11.12.13)

For example:
 

2024-10-01 17_10_55-FortiManager-VM64 — Mozilla Firefox.png

 

 
Once the CSR is generated, the user may use the tools provided by the trusted CA, or various online apps provided by other CAs, to verify if all attributes are in order before sending the request for signing.
 
For example by using the Check CSR tool on the DigiCert web page at: https://www.digicert.com/ssltools/view-csr/

Or, use this CertLogik tool to see more details: https://certlogik.com/decoder/ 

Various local certificate managing apps can also be used to verify the CSR content, like OpenSSL or XCA https://www.hohnstaedt.de/xca/

11399
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.