Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Why does FortiGate send self-signed Root CA Certificate in IKEv2 CERT payload?

Irrespective whether the FortiGate server certificate is directly issued by a Root CA or by an Intermediate CA, the Root CA is always sent to the IPsec VPN client in the CERT payload of the IKE_AUTH response. This doesn't make any sense since no peer is going to trust a self-signed certificate received via an untrusted channel. Omitting the unnecessary Root CA certificate would help to reduce the number of IKEv2 fragments needed to transmit the huge IKE_AUTH response.


Hi strongX509,

For better or worse(?), this is a consistent pattern in TLS as done by FortiGates.

You will see the same behaviour with admin GUI, SSL-VPN, captive portals, HTTPS-type server-load-balancing VIPs, ...


It doesn't technically break anything, which is, I assume, the reason why this has never been addressed.

[ corrections always welcome ]
Top Kudoed Authors