Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ck8882
New Contributor II

Created on ‎10-08-2023 01:59 AM

FortiGate login wepage still show "not secure" in the address bar

HI 

 

Anyone have experience and idea how to configure and process generate CSR at FGT and sign by FAC for internal access in order the webpage won't show warning and address bar show "not secure" ?

 

I did try generate CSR in fortigate and signed by FAC. I did import the local CA from FAC to the end user devices. However, still see the warning and address bar show "not secure" 

 

Appreciate anyone could share the idea and the step i missing

 

I did refer link below as well

https://docs.fortinet.com/document/fortiauthenticator/6.5.0/cookbook/628126/fortiauthenticator-as-a-...

 

 

 

 

Labels:
1600
0 Kudos
2 Solutions
srajeswaran
Staff
Staff
In response to ck8882

Created on ‎10-09-2023 11:23 PM

https://docs.fortinet.com/document/fortigate/7.2.0/new-features/499047/new-default-certificate-for-h... This document confirms that if the SAN is not valid the browsers will give the error as you have observed.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

1411
ebilcari
Staff
Staff
In response to ck8882

Created on ‎10-10-2023 12:55 AM

Yes, SAN is added as a requirement on modern browser for every web page (not related to FGT only). You will still need to add the SAN even if you have specified the same domain as the common name.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

1396
0 Kudos
13 REPLIES 13
srajeswaran
Staff
Staff

Created on ‎10-08-2023 02:08 AM

Hi @ck8882 ,

I have tested this behavior in the past and the issue was observed in below scenarios.

 

1. The CN is not matching with the domain name
2. The root CA cert is not added to trusted cert store
3. The SAN field is missing in the certificate

Could you please make sure all the 3 are taken care in your test?

 

Thanks,

Suraj

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

1320
0 Kudos
ck8882
New Contributor II
In response to srajeswaran

Created on ‎10-08-2023 06:07 AM

HI srajeswaran,

 

I use IP address to configure the CN and login with IP address as well since it's internal access only. I also upload the CA cert from FAC to the chrome, firefox also. Still see the same issue.

 

For the SAN, i also configured IP:192.168.10.10

 

still not work. Do you have any other idea could be the reason?

 

Thanks

1298
0 Kudos
srajeswaran
Staff
Staff
In response to ck8882

Created on ‎10-08-2023 06:35 AM

Can you confirm if you see the SAN when you open the certificate? I remember the Windows AD/CA not adding the SAN (when not specified) even though the CSR is generated with SAN .

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

1289
0 Kudos
ck8882
New Contributor II
In response to srajeswaran

Created on ‎10-09-2023 01:05 AM

HI srajeswaran,

 

According to the document link above, i also try no configured the SAN value, However, no matter i configure SAN or no, the result is same. So would like to know is it required must configured SAN? 

1217
0 Kudos
srajeswaran
Staff
Staff
In response to ck8882

Created on ‎10-09-2023 01:07 AM

As per my testing in the past the issue has seen when SAN is missing, so I would recommend you fix the SAN issue and then test.

1. The CN is not matching with the domain name - I blve this is taken care
2. The root CA cert is not added to trusted cert store - I blve this is also taken care 
3. The SAN field is missing in the certificate - Only this is remaining now

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

1211
0 Kudos
srajeswaran
Staff
Staff
In response to ck8882

Created on ‎10-09-2023 11:23 PM

https://docs.fortinet.com/document/fortigate/7.2.0/new-features/499047/new-default-certificate-for-h... This document confirms that if the SAN is not valid the browsers will give the error as you have observed.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

1412
ebilcari
Staff
Staff
In response to ck8882

Created on ‎10-08-2023 06:46 AM Edited on ‎10-08-2023 06:47 AM

CA will remove attributes if they are not valid or if there is a typo, so make sure that Subject Alt Names are present in the downloaded cert, like this:

certsip.PNG

or from within FGT:

ipja.PNG

 

This article shows the format you need to put on FGT while generating the CSR: DNS:domain1.com,DNS:domain2.com,IP:a.b.c.d

CSR dns+ip.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1288
ck8882
New Contributor II
In response to ebilcari

Created on ‎10-09-2023 01:03 AM

HI ebilcari,

 

According to the document link above, i didn't configured the SAN value, would like to know is it required must configured SAN? would it be to root cause?

 

Please see the configuration below

 

In FGT CSR

Common Name (CN)

x.x.x.x

Organization (O)

FGTSAN

Organization Unit (OU)

SAN

Email Address (emailAddress)

 
In FAC CA
Common Name (CN)
FAC serial number
Organization (O)
FAC
Organization Unit (OU)
FACtest
Email Address (emailAddress)
facfgt@gmail.com
1226
0 Kudos
ebilcari
Staff
Staff
In response to ck8882

Created on ‎10-10-2023 12:55 AM

Yes, SAN is added as a requirement on modern browser for every web page (not related to FGT only). You will still need to add the SAN even if you have specified the same domain as the common name.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1397
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.