Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- Lacework
- FortiAppSec Cloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- ssl-vpn certificate error - chain not returned
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 07-07-2007 03:08 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssl-vpn certificate error - chain not returned
Hi,
Quick Summary:
MR5 returns complete certifcate chain when HTTPS to ADMIN Port
MR5 only returns the primary certifcate when HTTPS to SSL-VPN Port
Bug / Issue with code, not certifcate, or certifcate chain, same cert is used for both ADMIN-Cert and SSL-VPN Cert, so should work for both!
I am using a FG500A with MR5 (0559)
I have installed a wildcard public (digicert) certificate under VPN->Certificates->Local Certificates using Import Certifcate with required Certificate File and Key File. Installed successfully.
I have installed the intermeditary DigitCert Global CA certifcate under CA Certificates
I have installed the Entrust.net Secure Server Certification Authority under CA Certificates
Now after PUTTY onto Firewall and configured the admin server certificate to use the public cert as a test
config global
config system global
set admin-server-cert starcert
end
Now when I https://<FQDN of Firewall>
I get the firewall Login Page without any certifcate error
Looking at the Certifcate returned in IE I see the correct public cert, and when I click on certifcation chain I see ALL the certs in the chain - no issues!!
Now I configure SSL-VPN to use the starcert
Then I https://<FQDN of Firewall:10443/remote>
I get a certifcate error!!
When I check the returned certificate the CORRECT public cert has been returned!! The failure indicates I have a valid name, and the name matches the web site I am browsing but that the certificate cannot be verified!
The issue is that the CERTIFCATE CHAIN has NOT been returned, most notably the intermediate certifcate has not been returned. Hence IE cannot verify the complete chain and it complains! The SSL specificate allows for the server to return not only the SSL certifcate but all certificates in the chain.
The FortiGate correctly returns all certifcates in the chain when browsing to the admin port, but only returns the SSL certificate when browsing to the SSL-VPN port.
Of course I could just go ahead and install the DigiCert intermediate authority on my PC and the error will go away.
But that defeats the purpose of the public certificate, and creating the seamless experience that I was after.
Has anyone:
(a) Come across this before
(b) Know of a way to correct it (!)
(c) Point out what I am doing wrong (?!!?)
Thanks in advance,
VirtualG
9 REPLIES 9
Not applicable
Created on 10-09-2007 04:31 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
this was quite some time ago, did you manage to find an answer to this? Because I' m having the exact same problem.
I' m not using the latest release of FortiOS, but before upgrading it would be nice to know if it actually fixes the problem. I' ve searched through all the documentation I could find and I can' t find anything about intermediate certificates at all.
Anyone else managed to install a Verisign certificate for VPN-SSL? And in that case how did you get the certificate chain to work?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jonas,
Unfortunately I do not have a solution to this problem. Current OS still exhibits this behaviour.
Makes a public certificate virtually worthless for SSL-VPN connectivity because you must install the ' chain' on each machine that is going to use the SSL-VPN first.
You would think that Fortinet QA would have picked this one up?!
Cheers,
Graham.
Not applicable
Created on 10-09-2007 06:59 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oddly enough.. it works for me now.. and I don' t think I did anything besides wait a few hours.
I' m running build0483 on a 300A.
The last change I did was to extract Verisigns root certificate from IE and upload that to the Fortigate, then I also changed from the real certificate to the built-in on the vpn-ssl configuration page, applied, and changed back.
After this I tried again without success. Either I had to wait, for some unknown reason. Or i forgot to close down the browsers before i tried again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems to fail only if there is an INTERMEDIATE certificate required, and that INTERMEDIATE certificate is not trusted by your client by default.
Meaning you have:
Root CA -> Intermediate CA -> Your Certificate
Even if you upload Your Certificate (Private Key), the Intermediate CA (Public Key), and the Root CA (Public Key) to the Fortinet, the fortinet will not return Your Certificate (Public Key) - Intermediate CA (Public Key) - Root CA (Public Key) when you browse to it using the REMOTE (SSL VPN) web page. It will return the entire chain when you browse to say the administration web page on the fortinet.
The issue will be visible to the client if:
The certificate you use has an intermediate CA, and that intermediate CA is unknown to the client. In this situation the client will be unable to confirm the authenticity of your certificate because it will only know the Root CA, and your Certificate and cannot verify the complete chain.
It sounds like your certificate does not have an intermediate CA, hence the bug I have described does not apply to you.
e.g. Root CA -> Your Certificate = OK
or Root CA (Trusted on client) -> Intermediate CA (Trusted on client by default) -> Your Certificate = OK
but Root CA (Trusted on client) -> Intermediate CA (NOT trusted on client) -> Your Certificate (Not trusted on client) = Failure when using SSL-VPN web site.
Cheers.
Not applicable
Created on 10-10-2007 03:39 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do have an intermediate CA.. Verisign started using them last year or so.. the new certificates I' ve gotten from them has been with an intermediate.
I uploaded the Certificate to " Local certificates" and the intermediate and verisigns root cert to " CA Certificates" ..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This may not work, as the FG box doesn' t support intermediate root CA' s.
You have to acquire a SSL cert that doesn' t use an intermediate.
Regards, Eric.
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Eric,
Well the FG sort of supports intermediate certs. It does for the administration certificate (there it will correctly return all certificates in the chain to the browser), but not for the SSL-VPN web site - It will not return the intermediate certificates even though they have been uploaded to the FG :-(
So, I guess, " It doesn' t support" is sort of right - but it is still a bug!
I am confused that Jonas seems to imply he has this working. I would suspect that his browser already has the intermediate certificate in its trusted CA or trusted intermediate certificates store on his client, hence even though the FG SSL-VPN web site does not return the intermediate certificates his computer already knows about them, hence it works - just a guess.
It is interesting that many SSL certificate vendors are releasing certificates that have intermediatories now. About time FG started following the SSL standard?
;-)
(I would be more than happy to be wrong about this, if someone could point out what I am doing wrong that would be great!).
Cheers!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It depends on what you call working and supporting.
It all has to do with the way PKI - certs work. As there is no seperate tab for intermediate root certs, it is not supported.
If you load the intermediate cert in your browser from which you are connecting then you may have no issue.
Furthermore more and more SSL vendors are moving away from intermediate certs. You can buy a basic ssl cert from Equifax for as little as 30-40$ per year. (No intermediate).
Cheers, Eric
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Not applicable
Created on 10-11-2007 06:24 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
seems i spoke too soon..
i dont have any complains from the browser about the certificate as i said earlier.. but i can' t get the tunnel to connect after i changed the url to the certificate url, instead of going to the ip-address.
i can make it all work if i connect to the ip-address, connects fine etc, but ofcourse it complains about the certificate not being for that url.
if i connect to the certificate url in firefox it will show the activex plugin, but refuse to connect the tunnel. in IE it just wont load the page, keeps loading forever.
only thing i figured was that it might have to do with me installing the plugin from the IP-address and not the url, so i' ve tried uninstalling it. since the " uninstall" button doesn' t do much, i managed to find the files that got installed to firefox and deleted them by hand. still no go, even though i get to install the plugin anew, it still behaves the same way. changing back and connecting to the IP, and it works.
Eric, as for FG not supporting intermediate certificates, is this something you know or just assume by the lack of a tab? i' ve seen quite a few firewalls/routers etc that doesn' t have a specific tab to load an intermediate, you go around it by joining the site-certificate and intermediate into one file, or similar.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,769 -
FortiClient
1,782 -
5.2
801 -
FortiManager
739 -
5.4
639 -
FortiAnalyzer
565 -
FortiSwitch
478 -
Fortiap
475 -
FortiClient EMS
437 -
6.0
416 -
5.6
362 -
FortiMail
323 -
SSL-VPN
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
214 -
FortiWeb
210 -
5.0
196 -
FortiNAC
192 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
107 -
FortiGateCloud
102 -
FortiSIEM
100 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
60 -
Fortivoice
57 -
High Availability
57 -
FortiADC
54 -
vlan
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
FortiExtender
45 -
DNS
45 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
NAT
36 -
Certificate
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
Radius
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiGate-VM
21 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1740 | |
| 1109 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.