Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bfogliano
New Contributor

Created on ‎02-05-2025 08:37 AM

Cannot secure Fortigate public IP with CA signed certificate

I have read every article on the internet on this topic and worked with Fortinet TAC for 2 days.  All of the articles say you can secure the public IP of the Fortigate by putting the public IP in the Host IP section for the common name in the CSR.  Done this, does not work.  Once the wildcard is rekeyed for the subdomain it shows the top level domain in the cert and that it is applied on the IP login but the browser still says not secure.  I have tried this with the SAN as the DNS name for the site, and it secures the DNS name for the site but not the IP.  Has anyone successfully done this and how, and why would Fortinet documentation say this can be done if it can't (this is what TAC says and would not escalate)?

Labels:
1883
0 Kudos
17 REPLIES 17
AEK
SuperUser
SuperUser

Created on ‎02-05-2025 11:44 PM

When generating the CSR, in the "Subject Alternative Name", did you enter the IP address directly like this: "1.2.3.4", or did you add "IP:" prefix like that: "IP:1.2.3.4"?

AEK
AEK
1230
ebilcari
Staff
Staff

Created on ‎02-06-2025 12:11 AM

If a private root CA is used to sign the CSR, than usually yes it is possible to insert IP as SAN. Public root CAs will not allow to put IP in the SAN and probably will strip them out from the the CSR while signing the certificate. This is not a limitation of FGT but mostly from the root CA that is used.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1222
AEK
SuperUser
SuperUser
In response to ebilcari

Created on ‎02-06-2025 12:57 AM

Hi Emirjon

I think it does. Unless if google is an exception.

gglcrt.png

AEK
AEK
1213
ebilcari
Staff
Staff
In response to AEK

Created on ‎02-06-2025 02:54 AM

In this case google is self signing its own certificate so the rule doesn't apply :).

There are also some exceptions for large organization like shown here, but based on what I've seen, most of the time you can't get a public signed certificate for a public IP.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1199
AEK
SuperUser
SuperUser
In response to ebilcari

Created on ‎02-06-2025 07:33 AM

It makes sense. Thanks Emirjon.

AEK
AEK
1168
bfogliano
New Contributor

Created on ‎02-06-2025 08:41 AM

Ok so the agreement is that you cannot secure a public IP with a certificate on a firewall, correct?

1157
0 Kudos
AEK
SuperUser
SuperUser
In response to bfogliano

Created on ‎02-06-2025 08:43 AM Edited on ‎02-06-2025 08:48 AM

The agreement is you can but with private CA, and "probably" not with public CA.

 

Edit: You can still check with your public cert provider if he can do it for you.

AEK
AEK
1154
0 Kudos
bfogliano
New Contributor

Created on ‎02-06-2025 09:01 AM

Believe me I worked with GoDaddy for hours they were of no help. 

1144
0 Kudos
AEK
SuperUser
SuperUser
In response to bfogliano

Created on ‎02-06-2025 09:30 AM

Then try find a CA that can do it, like the one shared by Emirjon.

AEK
AEK
1137
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.