Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ck8882
New Contributor II

FortiGate login wepage still show "not secure" in the address bar

HI 

 

Anyone have experience and idea how to configure and process generate CSR at FGT and sign by FAC for internal access in order the webpage won't show warning and address bar show "not secure" ?

 

I did try generate CSR in fortigate and signed by FAC. I did import the local CA from FAC to the end user devices. However, still see the warning and address bar show "not secure" 

 

Appreciate anyone could share the idea and the step i missing

 

I did refer link below as well

https://docs.fortinet.com/document/fortiauthenticator/6.5.0/cookbook/628126/fortiauthenticator-as-a-...

 

 

 

 

2 Solutions
srajeswaran

https://docs.fortinet.com/document/fortigate/7.2.0/new-features/499047/new-default-certificate-for-h... This document confirms that if the SAN is not valid the browsers will give the error as you have observed.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

ebilcari

Yes, SAN is added as a requirement on modern browser for every web page (not related to FGT only). You will still need to add the SAN even if you have specified the same domain as the common name.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

13 REPLIES 13
srajeswaran
Staff
Staff

Hi @ck8882 ,

I have tested this behavior in the past and the issue was observed in below scenarios.

 

1. The CN is not matching with the domain name
2. The root CA cert is not added to trusted cert store
3. The SAN field is missing in the certificate

Could you please make sure all the 3 are taken care in your test?

 

Thanks,

Suraj

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
ck8882
New Contributor II

HI srajeswaran,

 

I use IP address to configure the CN and login with IP address as well since it's internal access only. I also upload the CA cert from FAC to the chrome, firefox also. Still see the same issue.

 

For the SAN, i also configured IP:192.168.10.10

 

still not work. Do you have any other idea could be the reason?

 

Thanks

srajeswaran

Can you confirm if you see the SAN when you open the certificate? I remember the Windows AD/CA not adding the SAN (when not specified) even though the CSR is generated with SAN .

 

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
ck8882
New Contributor II

HI srajeswaran,

 

According to the document link above, i also try no configured the SAN value, However, no matter i configure SAN or no, the result is same. So would like to know is it required must configured SAN? 

srajeswaran

As per my testing in the past the issue has seen when SAN is missing, so I would recommend you fix the SAN issue and then test.

1. The CN is not matching with the domain name - I blve this is taken care
2. The root CA cert is not added to trusted cert store - I blve this is also taken care 
3. The SAN field is missing in the certificate - Only this is remaining now

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
srajeswaran

https://docs.fortinet.com/document/fortigate/7.2.0/new-features/499047/new-default-certificate-for-h... This document confirms that if the SAN is not valid the browsers will give the error as you have observed.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
ebilcari

CA will remove attributes if they are not valid or if there is a typo, so make sure that Subject Alt Names are present in the downloaded cert, like this:

certsip.PNG

or from within FGT:

ipja.PNG

 

This article shows the format you need to put on FGT while generating the CSR: DNS:domain1.com,DNS:domain2.com,IP:a.b.c.d

CSR dns+ip.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
ck8882
New Contributor II

HI ebilcari,

 

According to the document link above, i didn't configured the SAN value, would like to know is it required must configured SAN? would it be to root cause?

 

Please see the configuration below

 

In FGT CSR

Common Name (CN)

x.x.x.x

Organization (O)

FGTSAN

Organization Unit (OU)

SAN

Email Address (emailAddress)

 
In FAC CA
Common Name (CN)
FAC serial number
Organization (O)
FAC
Organization Unit (OU)
FACtest
Email Address (emailAddress)
facfgt@gmail.com
ebilcari

Yes, SAN is added as a requirement on modern browser for every web page (not related to FGT only). You will still need to add the SAN even if you have specified the same domain as the common name.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors