Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

FORTIGATE | This Connection is Invalid. SSL certificate expired.

Hello all. 


i've problem with my ssl certificate on my fortigate below design before explain you problem . 




Since home, i try to connect to my switch office (cisco switch SG-250) by using ssl vpn. but it's not working i've the message bellow 




i look for on internet and one way to resolve that, it to allow invalid cerfiticate. i do it and now it's working but not secure. 

I want to resolve without allow invalid certificate how can i make it. 



Hey Stoller,

is that certificate on the FortiGate or Cisco Switch?

The best way would probably be to replace it with a valid certificate.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

FortiGate includes a self-signed default certificate (which is not trusted by a CA, and can't be verified by browsers). This means that if Fortigate is encrypting this connection, it will not be trusted in another browser. To prevent that, you need to install a 3rd party certificate (not sold by Fortinet).

Some documents that may help:

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

thanks alex

Esteemed Contributor II

You're accessing the SG-250 (very old switch) via GUI(HTTPS) and its certificate has been expired long time ago. The FGT is just in the middle and checking the certificates (as you configured) coming from the server(SG-250) side and found it invalid. If you don't want to make FGT ignoring invalid certificates, your options are one of these:
1. As Alex says, get a proper certificate signed by one of common CAs and import/install it to the SG-250 [the best option among these]

2. Stop using GUI/HTTPS to manage the SG-250. CLI/SSH or HTTP would be the options.

3. Cisco might have an updated default cert. Ask their community.




thanks so much toshi. it's more clear. i will try to use option 1 and back to you soon