HI
Anyone have experience and idea how to configure and process generate CSR at FGT and sign by FAC for internal access in order the webpage won't show warning and address bar show "not secure" ?
I did try generate CSR in fortigate and signed by FAC. I did import the local CA from FAC to the end user devices. However, still see the warning and address bar show "not secure"
Appreciate anyone could share the idea and the step i missing
I did refer link below as well
Solved! Go to Solution.
https://docs.fortinet.com/document/fortigate/7.2.0/new-features/499047/new-default-certificate-for-h... This document confirms that if the SAN is not valid the browsers will give the error as you have observed.
Yes, SAN is added as a requirement on modern browser for every web page (not related to FGT only). You will still need to add the SAN even if you have specified the same domain as the common name.
Hi @ck8882 ,
I have tested this behavior in the past and the issue was observed in below scenarios.
1. The CN is not matching with the domain name
2. The root CA cert is not added to trusted cert store
3. The SAN field is missing in the certificate
Could you please make sure all the 3 are taken care in your test?
Thanks,
Suraj
HI srajeswaran,
I use IP address to configure the CN and login with IP address as well since it's internal access only. I also upload the CA cert from FAC to the chrome, firefox also. Still see the same issue.
For the SAN, i also configured IP:192.168.10.10
still not work. Do you have any other idea could be the reason?
Thanks
Can you confirm if you see the SAN when you open the certificate? I remember the Windows AD/CA not adding the SAN (when not specified) even though the CSR is generated with SAN .
HI srajeswaran,
According to the document link above, i also try no configured the SAN value, However, no matter i configure SAN or no, the result is same. So would like to know is it required must configured SAN?
As per my testing in the past the issue has seen when SAN is missing, so I would recommend you fix the SAN issue and then test.
1. The CN is not matching with the domain name - I blve this is taken care
2. The root CA cert is not added to trusted cert store - I blve this is also taken care
3. The SAN field is missing in the certificate - Only this is remaining now
https://docs.fortinet.com/document/fortigate/7.2.0/new-features/499047/new-default-certificate-for-h... This document confirms that if the SAN is not valid the browsers will give the error as you have observed.
CA will remove attributes if they are not valid or if there is a typo, so make sure that Subject Alt Names are present in the downloaded cert, like this:
or from within FGT:
This article shows the format you need to put on FGT while generating the CSR: DNS:domain1.com,DNS:domain2.com,IP:a.b.c.d
HI ebilcari,
According to the document link above, i didn't configured the SAN value, would like to know is it required must configured SAN? would it be to root cause?
Please see the configuration below
In FGT CSR
Common Name (CN)
Organization (O)
Organization Unit (OU)
Email Address (emailAddress)
Yes, SAN is added as a requirement on modern browser for every web page (not related to FGT only). You will still need to add the SAN even if you have specified the same domain as the common name.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.