Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
strongX509
New Contributor III

Created on ‎09-12-2022 10:16 AM

Why does FortiGate send self-signed Root CA Certificate in IKEv2 CERT payload?

Irrespective whether the FortiGate server certificate is directly issued by a Root CA or by an Intermediate CA, the Root CA is always sent to the IPsec VPN client in the CERT payload of the IKE_AUTH response. This doesn't make any sense since no peer is going to trust a self-signed certificate received via an untrusted channel. Omitting the unnecessary Root CA certificate would help to reduce the number of IKEv2 fragments needed to transmit the huge IKE_AUTH response.

Labels:
1399
0 Kudos
1 REPLY 1
pminarik
Staff
Staff

Created on ‎09-14-2022 04:13 AM

Hi strongX509,

For better or worse(?), this is a consistent pattern in TLS as done by FortiGates.

You will see the same behaviour with admin GUI, SSL-VPN, captive portals, HTTPS-type server-load-balancing VIPs, ...

 

It doesn't technically break anything, which is, I assume, the reason why this has never been addressed.

[ corrections always welcome ]
1330
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.