Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
STOLLERXD
New Contributor II

FORTIGATE | This Connection is Invalid. SSL certificate expired.

Hello all. 

 

i've problem with my ssl certificate on my fortigate below design before explain you problem . 

 

STOLLERXD_0-1647510103713.png

 

Since home, i try to connect to my switch office (cisco switch SG-250) by using ssl vpn. but it's not working i've the message bellow 

 

STOLLERXD_1-1647510216204.png

 

i look for on internet and one way to resolve that, it to allow invalid cerfiticate. i do it and now it's working but not secure. 

I want to resolve without allow invalid certificate how can i make it. 

 

5 REPLIES 5
Debbie_FTNT
Staff
Staff

Hey Stoller,

is that certificate on the FortiGate or Cisco Switch?

The best way would probably be to replace it with a valid certificate.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
AlexC-FTNT
Staff
Staff

FortiGate includes a self-signed default certificate (which is not trusted by a CA, and can't be verified by browsers). This means that if Fortigate is encrypting this connection, it will not be trusted in another browser. To prevent that, you need to install a 3rd party certificate (not sold by Fortinet).

Some documents that may help:
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-avoid-certificate-error-message-by...
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/565000/preventing-certificate-warnings-d...


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
STOLLERXD

thanks alex

Toshi_Esumi
Esteemed Contributor II

You're accessing the SG-250 (very old switch) via GUI(HTTPS) and its certificate has been expired long time ago. The FGT is just in the middle and checking the certificates (as you configured) coming from the server(SG-250) side and found it invalid. If you don't want to make FGT ignoring invalid certificates, your options are one of these:
1. As Alex says, get a proper certificate signed by one of common CAs and import/install it to the SG-250 [the best option among these]

2. Stop using GUI/HTTPS to manage the SG-250. CLI/SSH or HTTP would be the options.

3. Cisco might have an updated default cert. Ask their community.

 

Toshi

STOLLERXD

thanks so much toshi. it's more clear. i will try to use option 1 and back to you soon