Dear Fortinet Community,
We are deploying a WAF (FortiWeb) in an Environment and Migrating a Web Application behind FortiWeb. We have a dual gateway seanerio in our environment for FortiWeb, for traffic to route its proper destination we used PBR here to route return or response traffic towards it destination.
After all configurations of virtual server, server pool, virtual IPs, server policy, adding certificates of servers in FortiWeb, Migrarted Web Application working properly and doesn't pop-up SSL Certificate error in the browser but on the same Hostname we have an android application of the client , it shows SSL Certificate error on Android Application we open our application. For clarification we called a certificate in Server Policy of FortiWeb for this Service and that certificate is Wild-Card Certificate.
Please suggest is there any configurations missing at our FortiWeb end or something else.
Solved! Go to Solution.
Hello @sheerazali,
There are some cases where Android device requires complete certificate chain provided by the server(which is FortiWeb). I can see you mentioned a wildcard certificate imported into FortiWeb server policy. Can you also import its intermediate CA, create Certificate Intermediate Group and define it in the respective server policy.
To upload an intermediate CA’s certificate
Regards,
Shafiq
Hello @sheerazali ,
browsers can generally ignore the certificate trust chain, and because of that, you can't be faced with any error on the browser. But, mobile devices not working like this. You need to install an intermediate certificate to FortiWeb.
You can review this document on how to install intermediate certificate on FortiWeb.
Hello @ozkanaltas
Please find attached snapshot of Web Application and Android Application has same certificate and also imported and attached certificate in the Server Policy in FortiWeb.
Web Application with Secure Connection:
Android App:
Created on 08-08-2024 06:41 AM Edited on 08-08-2024 06:45 AM
Hello @sheerazali ,
Can you check the certificate details on Chrome your certificates should look like this.
If your application is accessible from the internet you can test it with this website. This website will tell about SSL certificate problems.
https://www.ssllabs.com/ssltest/
And also, the TLS version and ciphers are also important for mobile phones. If you use a higher TLS version like TLS1.3 some phones don't like this. You need to require to optimize your cipher and TLS settings for mobile phones.
Hi @ozkanaltas
We have verified that there is TLSv1.2 is being used and furthermore Web Server Certificate looks like as your mentioned above. For your reference,
Hi Community,
We need to resolve this issue as soon as possible. If anyone has a solution, please share it.
Hello @sheerazali,
There are some cases where Android device requires complete certificate chain provided by the server(which is FortiWeb). I can see you mentioned a wildcard certificate imported into FortiWeb server policy. Can you also import its intermediate CA, create Certificate Intermediate Group and define it in the respective server policy.
To upload an intermediate CA’s certificate
Regards,
Shafiq
Hi @shafiq23
Thank you for your to-the-point response. This is exactly what I was looking for. Yesterday, we successfully imported the CA certificate into the Intermediate CA Group and integrated that Intermediate CA Group into our Server Policy for one of our test environments. Testing is currently underway, and I will update the community on whether it resolved the issue.
For reference, I followed the guide from the Fortigate Community for importing CA certificates into the Intermediate Certificate Group:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.