Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
julianhaines
New Contributor II

Microsoft certificates re-signed as untrusted

Good day,

 

I am getting a lot of Microsoft URLs being re-signed as untrusted see below, I have a FGT200F running firmware 7.

 

I have noticed that the Destination is not the same as the hostname, any thoughts as to what is happing?

 

Server certificate is re-signed as untrusted, certificate-status: untrusted.
Destination                                                                                    hostname
v10.events.data.microsoft.com                                                      uk-v20.events.data.microsoft.com
teams.events.data.microsoft.com                                                  uk-v20.events.data.microsoft.com
v10.vortex-win.data.microsoft.com                                                uk-v20.events.data.microsoft.com
sevillecloudgateway-uks-prd.trafficmanager.net                            winatp-gw-uks.microsoft.com
uk-mobile.events.data.microsoft.com                                            uk-v20.events.data.microsoft.com
eu-v10c.events.data.microsoft.com                                               eu-v10c.events.data.microsoft.com
wd-prod-cp.trafficmanager.net                                                      unitedkingdom.cp.wd.microsoft.com
atm-settingsfe-prod-geo2.trafficmanager.net                                settings-win.data.microsoft.com
onedscolprduks03.uksouth.cloudapp.azure.com                        uk-v20.events.data.microsoft.com
settings-prod-cin-1.centralindia.cloudapp.azure.com                   settings-win.data.microsoft.com
geo.prod.do.dsp.mp.microsoft.com                                              geo.prod.do.dsp.mp.microsoft.com

52.140.118.28                                                                              settings-win.data.microsoft.com
ic3.events.data.microsoft.com                                                     uk-v20.events.data.microsoft.com
browser.events.data.microsoft.com                                             uk-v20.events.data.microsoft.com
eu-mobile.events.data.microsoft.com                                          eu-v10c.events.data.microsoft.com

1 Solution
fricci_FTNT

Hi @julianhaines ,

 

In the article that I have mentioned there is the procedure:

Chrome/Internet Explorer.

 

  • From the browser, view the certificate within Windows' certificate window:
    Chrome: select  the lock icon to the left of the HTTPS URL, and then select 'Certificate'.
    Internet Explorer: select the lock icon to the right of the Address bar, and then select 'View certificates'.
  • From the Certificate window, go to the Certification Path tab.
  • Select the top-most certificate and click on View Certificate.
  • In the second Certificate window, go to the Details tab and select 'Copy to File...'.
  • Follow the Certificate Export Wizard to export the certificate to the workstation in "DER encoded binary X.509 (.CER)" format.

 

Firefox.

 

  • Select the lock icon to the left of the HTTPS URL, and then select Connection secure -> More Information.
  • Select the View Certificate button to the right.
  • Select the Details tab in the Certificate Viewer.
  • Select the top-most certificate and select 'Export...'.


The article below also might help ("Viewing a certificate" paragraph):
https://support.mozilla.org/en-US/kb/secure-website-certificate

 

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.

View solution in original post

4 REPLIES 4
fricci_FTNT
Staff
Staff

Hi @julianhaines ,


It seems that there are a few issues with those websites' certificates (chain broken or name mismatch), it does not look a FortiGate problem.

I have checked a couple of websites and for some of them the SSL chain of trust is broken. In that case you could import the Root CA into the FortiGate to resolve it.

For example:
https://www.sslshopper.com/ssl-checker.html#hostname=v10.events.data.microsoft.com%20
https://www.sslshopper.com/ssl-checker.html#hostname=eu-v10c.events.data.microsoft.com

https://www.ssllabs.com/ssltest/analyze.html?d=v10.events.data.microsoft.com

 

For the following there is a name mismatch (server side issue).

 

The below might help:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Untrusted-certificate-warning-in-For...

 

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
julianhaines

Thanks for the information, how would I know what CA's I would need and where to download?

 

Thanks

fricci_FTNT

Hi @julianhaines ,

 

In the article that I have mentioned there is the procedure:

Chrome/Internet Explorer.

 

  • From the browser, view the certificate within Windows' certificate window:
    Chrome: select  the lock icon to the left of the HTTPS URL, and then select 'Certificate'.
    Internet Explorer: select the lock icon to the right of the Address bar, and then select 'View certificates'.
  • From the Certificate window, go to the Certification Path tab.
  • Select the top-most certificate and click on View Certificate.
  • In the second Certificate window, go to the Details tab and select 'Copy to File...'.
  • Follow the Certificate Export Wizard to export the certificate to the workstation in "DER encoded binary X.509 (.CER)" format.

 

Firefox.

 

  • Select the lock icon to the left of the HTTPS URL, and then select Connection secure -> More Information.
  • Select the View Certificate button to the right.
  • Select the Details tab in the Certificate Viewer.
  • Select the top-most certificate and select 'Export...'.


The article below also might help ("Viewing a certificate" paragraph):
https://support.mozilla.org/en-US/kb/secure-website-certificate

 

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
jassica_green
New Contributor

Hi I recommend you should use CloudFlare for security purposes. The reason behind they provide free certificate and trusted service.

Success comes to those become success conscious.
Success comes to those become success conscious.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors