Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
drClays
New Contributor

Problem with https certificate - fqdn url view selfsign certificate

Hi,

 

I have got FortiGate 100F v6.4.7 build 1911 (GA) and I tried to implement cert from my ADCS to use a safe URL via FQDN.

 

I apply a certificate here:

drClays_0-1648539855521.png

 

but when I use URL https://fortigate.domain.local I have an untrusted certificate because I see a self-sign cert from Fortigate.

 

View from CLI:

drClays_1-1648540050048.png

 

View from the website:

drClays_2-1648540132104.png

 

View of implemented cert:

drClays_3-1648540230932.png

 

Where do I need to change to read my cert on a website?

10 REPLIES 10
AlexC-FTNT
Staff
Staff

In the case it is required to configure a different presented certificate, the parameter is:

#config user setting
set auth-cert <auth-cert>
set auth-ca-cert <auth-ca-cert>

Some more details here: Technical Tip: Using secure authentication (HTTPS) on a FortiGate and redirecting the authentication...


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
drClays
New Contributor

I try it, but I have got failure.

 

I add rootCA from my ADCS srv here:

drClays_0-1648548607841.png

and I tried to use set-auth-ca-cert and I got error:

drClays_1-1648548707971.png

 

AlexC-FTNT

that means it is either invalid for this purpose, or not imported correctly.
Check the same command with "?" at the end to see the available certificates:
set auth-ca-cert ?


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
drClays

That looks like this:

drClays_0-1648552200056.png

RootCA is valid.

drClays

Does someone have any ideas? 

 

 

drClays
New Contributor

I add cert via VMAD Global ->System->Settings

drClays_0-1649668525703.png

 

And I see this certificate via fqdn, but it's untrusted:

drClays_1-1649668627165.pngdrClays_2-1649668671765.png

 

 

Any suggestions?

 
 

 

 

AlexC-FTNT

the certificate must be signed by a CA authority. No certificate that is issued to a ".local" domain can be trusted. The certificate verification is done against a public CA authority by the browser, so any certificate that you self-signed locally is only valid locally (the browser can't verify it is trusted with the public CA authority)


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
xsilver_FTNT

Actually web browsers does validate certs against their CA store.
MSIE, Edge, Chrome on Windows does use system Cert Storage (certlm). Or shorter, through chrome://settings/security 

FireFox does use it's own internal cert storage.

Both are looking to who signed cert you are trying to use, or which is presented to browser as server cert. And so browser validates if server cert itself is valid, or if it is signed by "Trusted Root Certificate Authority" (in short "CA")as if it is, then trust is inherently applied also to certs signed by that CA.

And so you can have your own certs, issued/signed by your own CA, but then you have to add cert of that Root CA into Trusted Root CA in every browser you'll use. MSFT do have a shortcut for domain members as it could be pushed to workstations via GPO (but that's a bit out of scope in here).

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

pminarik

Allow me to repeat my suggestions/questions from my first reply:

 

1, Does this certificate contain the fortigate.xxx.local FQDN in its SAN field? This is required by modern browsers, and no screenshot so far suggests that it is present. (screenshots only show the CN, which alone is insufficient)

 

2, When connected to the HTTPS GUI in Chrome, open the developer tools panel (F12), then go to the Security tab, and there you should see the reason why the certificate is not trusted.

[ corrections always welcome ]
Labels
Top Kudoed Authors