I cannot be the first to ever deal with this issue.
Has anybody ever used a domain (sampledomain.net) and pointed it to their public facing IP address that the firewall is listening on to access the Web-VPN portal? AND.... bought an SSL Cert and applied to the Firewall? Validating a certificate by IP address is apparently extremely difficult. Unless there is a better way.
We register a subdomain to our existing domain and added a DNS record for the VPN IP to point to the new subdomain (remoteconnection.sampledomain.net). We then generated a new cert for the subdomain and installed that on the fortigate and then selected that cert in the VPN settings. If im not mistaken you can generate a new cert and add the IP as a subject alternative name.
yes, we have a public signed certificate on our Fortigate, too.
In your case we used a linux computer with openssl tools, created a private key, created a CSR (certificate signing request) and ordered with this CSR a public signed certificate at a CA (certificate authority).
Nearly all of the CAs you can order www.example.com and you get the hostname example.com in the certificates for free...
After getting the signed certificate from the CA we imported this with the private key (stilled stored on the linux-system) on the Fortigate. I used the CLI with SSH (because you can define very simple a speeking name for the certificate/key handle), my coworker use the GUI.
The now created handle you can use for all SSL related configrations within your Fortigate or vdom.
Of course you need a DNS-record (A and/or AAAA) with the ip-address of the Fortigate. For testing a line with ip-address and hostname in etc/hosts-file works as well for this one source-system.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.