Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sheerazali
New Contributor II

Created on ‎08-08-2024 05:25 AM

SSL Certificate Issue on Andriod Application

Dear Fortinet Community,

We are deploying a WAF (FortiWeb) in an Environment and Migrating a Web Application behind FortiWeb. We have a dual gateway seanerio in our environment for FortiWeb, for traffic to route its proper destination we used PBR here to route return or response traffic towards it destination.
After all configurations of virtual server, server pool, virtual IPs, server policy, adding certificates of servers in FortiWeb, Migrarted Web Application working properly and doesn't pop-up SSL Certificate error in the browser but on the same Hostname we have an android application of the client , it shows SSL Certificate error on Android Application we open our application. For clarification we called a certificate in Server Policy of FortiWeb for this Service and that certificate is Wild-Card Certificate.
Please suggest is there any configurations missing at our FortiWeb end or something else.

Sheeraz Ali
Sheeraz Ali
Labels:
771
0 Kudos
1 Solution
shafiq23
Staff
Staff
In response to sheerazali

Created on ‎08-14-2024 10:49 PM

Hello @sheerazali,

 

There are some cases where Android device requires complete certificate chain provided by the server(which is FortiWeb). I can see you mentioned a wildcard certificate imported into FortiWeb server policy. Can you also import its intermediate CA, create Certificate Intermediate Group  and define it in the respective server policy.

To upload an intermediate CA’s certificate

https://docs.fortinet.com/document/fortiweb/7.4.4/administration-guide/991825/uploading-a-server-cer...

Thanks.

 

Regards,

Shafiq

View solution in original post

529
0 Kudos
7 REPLIES 7
ozkanaltas
Valued Contributor III

Created on ‎08-08-2024 05:30 AM

Hello @sheerazali ,

 

browsers can generally ignore the certificate trust chain, and because of that, you can't be faced with any error on the browser. But, mobile devices not working like this. You need to install an intermediate certificate to FortiWeb.

 

You can review this document on how to install intermediate certificate on FortiWeb.

 

https://docs.fortinet.com/document/fortiweb/7.6.0/administration-guide/991825/uploading-a-server-cer...

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
767
0 Kudos
sheerazali
New Contributor II
In response to ozkanaltas

Created on ‎08-08-2024 06:21 AM

Hello @ozkanaltas 

Please find attached snapshot of Web Application and Android Application has same certificate and also imported and attached certificate in the Server Policy in FortiWeb.
Web Application with Secure Connection:
Web-App.png

 


Android App:
WhatsApp Image 2024-08-06 at 10.34.23 PM.jpeg

Sheeraz Ali
Sheeraz Ali
752
0 Kudos
ozkanaltas
Valued Contributor III
In response to sheerazali

Created on ‎08-08-2024 06:41 AM Edited on ‎08-08-2024 06:45 AM

Hello @sheerazali ,

 

Can you check the certificate details on Chrome your certificates should look like this.

 

 

image.png

 

If your application is accessible from the internet you can test it with this website. This website will tell about SSL certificate problems.

 

https://www.ssllabs.com/ssltest/

 

And also, the TLS version and ciphers are also important for mobile phones. If you use a higher TLS version like TLS1.3 some phones don't like this. You need to require to optimize your cipher and TLS settings for mobile phones.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
747
0 Kudos
sheerazali
New Contributor II
In response to ozkanaltas

Created on ‎08-08-2024 08:03 AM

Hi @ozkanaltas 

We have verified that there is TLSv1.2 is being used and furthermore Web Server Certificate looks like as your mentioned above. For your reference,

cert.png

Sheeraz Ali
Sheeraz Ali
721
0 Kudos
sheerazali
New Contributor II

Created on ‎08-11-2024 01:58 PM

Hi Community, 

We need to resolve this issue as soon as possible. If anyone has a solution, please share it.

Sheeraz Ali
Sheeraz Ali
612
0 Kudos
shafiq23
Staff
Staff
In response to sheerazali

Created on ‎08-14-2024 10:49 PM

Hello @sheerazali,

 

There are some cases where Android device requires complete certificate chain provided by the server(which is FortiWeb). I can see you mentioned a wildcard certificate imported into FortiWeb server policy. Can you also import its intermediate CA, create Certificate Intermediate Group  and define it in the respective server policy.

To upload an intermediate CA’s certificate

https://docs.fortinet.com/document/fortiweb/7.4.4/administration-guide/991825/uploading-a-server-cer...

Thanks.

 

Regards,

Shafiq

530
0 Kudos
sheerazali
New Contributor II

Created on ‎08-14-2024 11:37 PM

Hi @shafiq23 

 

 

Thank you for your to-the-point response. This is exactly what I was looking for. Yesterday, we successfully imported the CA certificate into the Intermediate CA Group and integrated that Intermediate CA Group into our Server Policy for one of our test environments. Testing is currently underway, and I will update the community on whether it resolved the issue.

 

For reference, I followed the guide from the Fortigate Community for importing CA certificates into the Intermediate Certificate Group:

https://community.fortinet.com/t5/FortiWeb/Technical-Tip-How-to-install-intermediate-certificates-to...

Sheeraz Ali
Sheeraz Ali
517
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.