I'm currently leveraging my FAC as a "stand alone" CA server and used it to "Sgin" my Fortigate Web Admin Certificates; however last night my Chrome Browser (and assuming other users) updated and now I get the following error:
This server could not prove that it is myfirewall.mydomain.com; its security certificate is from [missing_subjectAltName]. This may be caused by a misconfiguration or an attacker intercepting your connection
Browser Info: Google Chrome Version 58.0.3029.81 (64-bit)
Given that my Gates are not joined to the domain, they do not have a "UPN" or email address so I don't really know how to leverage SAN certificates for them.
Just checking to see if anyone else is currently experiencing this issue as well.
-TFWD
I'm guessing this is talking about the FAC's (root) Local CA Cert .. in that case I need to re-create the local CA cert and point it to the FAC UPN since it's joined to the domain?
-TFWD
Read your certificate back in via openssl ad see what's present
examples
openssl x509 -in <certname> -noout -text
and
opensssl asnparse -i dump <certname>
Since your leading to UPN related what does the openssl show?
PCNSE
NSE
StrongSwan
Damn! Was just wondering why I was getting cert warning when accessing all of my fortinet appliances :(
The weird thing on top of that was when I try logging into something after the cert warning, I get an error. The error differs from the device I'm trying to access (fortigates indicate that they are unable to connect to the server and fortimanager\fortianalyzer indicate that I do not have permissions to the device). Was a little freaked out by this but then noticed that I was able to log in with no issues if I access the web gui via the IP of the device rather than it's FQDN.....weird
The issue here appears to be that FAC does not support creating certificates using a SAN type of DNS, only URL. Not via the GUI or via CSRs generated manually by OpenSSL.
I created a CSR manually following the instructions below and FAC totally ignored my SAN details.
http://apetec.com/support/GenerateSAN-CSR.htm
Can someone from FortiNet confirm this is the issue, and if/when you can release patch fix for this please?
We, we've pretty much established that SAN cert creation on the FAC is broken, correct? FTNT, any recommendations on this issue?
-TFWD
I was able to create a new cert today with a valid SAN field. You're using the proper syntax? Needs to be entered like DNS:XXXXXX or IP:X.X.X.X
Edit: Sorry just noticed you were referring to FAC, I was able to generate the new cert on a FGT.
Has anybody created a support ticket on this?
I have one open with FortiTAC.
-TFWD
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 704 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.