Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Datax_2502
New Contributor II

Certificate-warning when establishing vpn-connection with FortiClient

Hello friends,

 

does anybody know how to solve the problem of certificate-warning when using a self-signed server-certificate for the ssl-vpn on the Fortigate-firewall?

 

I use the FortiClient to establish a vpn-connection to the FortiGate-firewall.

 

I already added/imported the (self-signed) ca-certificate of the FortiGate-firewall to the trused root authorities on my pc, but this didn't solve the problem.

 

I recognized that the server-certificate was issued for the wrong hostname. The server-certificate was not issued for the hostname to which I connect when I establish the vpn-connection with FortiClient. Could this be the reason for the certificate-warning?

 

Can I issue a new self-signed ssl-certificate on the FortiGate-firewall to use it as the server-certificate (for the ssl-vpn)?

1 Solution
joef12345
New Contributor

The hostname must match what you enter in the forticlient remote gateway address. 

For everything to work correctly, you need the following:

  1. A Static IP address assigned to the fortigate. (There are some exceptions but generally speaking you should have a static address)
  2. The Static address must have a DNS name A record associated with it.
  3. You need to have an SSL certificate with the DNS name that matches the record created in step 2. You should avoid using a self-signed certificate as you would need to touch every client and create trust between the certificate and client. Rather then using a self signed cert, if you are on FW version 7.0 or later follow the directions here to create a free lets encrypt certificate.
  4. You must enter the domain registered in step to in the forticlient remote gateway address field.

View solution in original post

2 REPLIES 2
joef12345
New Contributor

The hostname must match what you enter in the forticlient remote gateway address. 

For everything to work correctly, you need the following:

  1. A Static IP address assigned to the fortigate. (There are some exceptions but generally speaking you should have a static address)
  2. The Static address must have a DNS name A record associated with it.
  3. You need to have an SSL certificate with the DNS name that matches the record created in step 2. You should avoid using a self-signed certificate as you would need to touch every client and create trust between the certificate and client. Rather then using a self signed cert, if you are on FW version 7.0 or later follow the directions here to create a free lets encrypt certificate.
  4. You must enter the domain registered in step to in the forticlient remote gateway address field.
Datax_2502

Thanks a lot for your information.

 

Now I know what to do to solve the problem of certificate-warning.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors