I hope someone is able to help me.

I'm currently having issues connecting to Fortigate 80E using SSL VPN. v6.2.3

I currently have 2 root certificates on the appliance.

CA1 - OLD root Certificate

CA2 - New Root Certificate

PKI users

User1 - CA1(old cert)

Subject - CN=username (matches the user cert CN subject on the device)

Connects fine

User2 - CA2(new cert)

Subject - CN=username(matches the user cert CN subject on the device)

Error in connection.

I recieve different errors when i connect - sometimes its more the certificate error but other times its the TLS error.

This was originally working but now fully doesnt work. If i switch the cert for the user back to the old root CA and matching subject then they can connect without issues.

Current Config:

ssl-max-proto-ver : tls1-3

ssl-min-proto-ver : tls1-1 Doing some debug on the appliance and trying to connect i managed to trace where the errors start comparing it to the working connection.

SSL state:SSLv3/TLS read client key exchange (Remote User IP) SSL state:fatal decrypt error (Remote User IP) SSL state:error:(null)(Remote User IP) SSL_accept failed, 1:bad signature

Now first its been suggested that SSLv3 is disabled however i can't see how to do that on version 6.2 or above rather than setting the SSL min / max versions which are listed above. I have also ensured that all the TLS options within IE settings are selected when testing this out.

Ideally i need to get this sorted within the next couple of weeks as the users certs are expiring from the old root.

Could anyone post any suggestions?

Thanks.