Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gsieg
New Contributor II

Failing PCI Due to Fortinet_CA and Fortinet_Sub_CA Certificates

Scan is coming back with failures on the follow, these all relate to either the Fortinet_CA or the Fortinet_Sub_CA.  I've already updated my certificate for Administration as well as my SSL VPN certificate with a valid certificate.  How can I go about updating the items below?  Being they appear to be Root CAs I don't see them "attached" anywhere.  When I look at Certificates in the unit they show up under Remote CA Certificates.  Basically it doesn't like the length of these or the fact that they are showing as self-signed.  I'm assuming if I remove these it will cause issues with other Fortinet Certificates, best option to proceed?

 

SSL Certificate - Invalid Maximum Validity Date Detected 1003 / tcp over ssl
SSL Certificate - Signature Verification Failed Vulnerability1003 / tcp over ssl
SSL Certificate - Invalid Maximum Validity Date Detected1000 / tcp over ssl
SSL Certificate - Signature Verification Failed Vulnerability1000 / tcp over ssl
SSL Certificate - Self-Signed Certificate1003 / tcp over ssl
SSL Certificate - Self-Signed Certificate 1000 / tcp over ssl 

Here are some details from the scan as well

Result
Certificate #0 emailAddress=support@fortinet.com,CN=***,OU=FortiGate,O=Fortinet,L=Sunnyvale,ST=California,C=US ISSUER:_emailAddress=support@fortinet.com,CN=fortinet-subca2001,OU=Certificate_Authority,O=Fortinet,L=Sunnyvale,ST=California,C=US is valid for more than 398 days
 
Result
Certificate #0 emailAddress=support@fortinet.com,CN=***,OU=FortiGate,O=Fortinet,L=Sunnyvale,ST=California,C=US ISSUER:_emailAddress=support@fortinet.com,CN=fortinet-subca2001,OU=Certificate_Authority,O=Fortinet,L=Sunnyvale,ST=California,C=US self signed certificate in certificate chain
 
Thanks for your help in advance!
1 Solution
gsieg
New Contributor II

I turned off the keepalive and even though the Captive Portal was off, I changed the SSL cert on it to my a non-self signed.  Ran the scan again and I'm good now!

View solution in original post

3 REPLIES 3
lgupta
Staff
Staff

Hello gsieg, Good day!
I wonder if you have already referred the below link:
 https://community.fortinet.com/t5/FortiGate/Technical-Tip-Resolving-PCI-Compliance-Failure-Due-to-Fo...

Please confirm the port number on which the compliance is failing. If it is not the SSLVPN port, then this reference should help you to narrow down the issue.

Thank you!

Best regards,

-lgupta



If you feel the above steps helped to resolve the issue mark the reply as solved so that other customers can get it easily while searching on similar scenarios.
gsieg
New Contributor II

Yes, I did find that and it resolved 3 items, but these remain.  One item while I did update the SSL Cert, I did not change the admin port to 4443, I left it at 443 as I have SSL VPN on 4443.  Don't think it matter especially since that is the not port being flagged but figured I'd mention it as I didn't follow that document to a "T" -

 

Port 1000 and 1003 are the ports failing.

 

Doing some searching specifically on the ports and not on the certificates I'm finding that Port 1000 is used for authentication keepalives primarily and Port 1003 is used with 1000 for the Captive portal, neither of which I am utilizing.  I just disabled the Keepalive, but it doesn't appear Captive Portal is on, doing more research.

gsieg
New Contributor II

I turned off the keepalive and even though the Captive Portal was off, I changed the SSL cert on it to my a non-self signed.  Ran the scan again and I'm good now!

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors