Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- ssl-vpn certificate error - chain not returned
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on ‎07-07-2007 03:08 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssl-vpn certificate error - chain not returned
Hi,
Quick Summary:
MR5 returns complete certifcate chain when HTTPS to ADMIN Port
MR5 only returns the primary certifcate when HTTPS to SSL-VPN Port
Bug / Issue with code, not certifcate, or certifcate chain, same cert is used for both ADMIN-Cert and SSL-VPN Cert, so should work for both!
I am using a FG500A with MR5 (0559)
I have installed a wildcard public (digicert) certificate under VPN->Certificates->Local Certificates using Import Certifcate with required Certificate File and Key File. Installed successfully.
I have installed the intermeditary DigitCert Global CA certifcate under CA Certificates
I have installed the Entrust.net Secure Server Certification Authority under CA Certificates
Now after PUTTY onto Firewall and configured the admin server certificate to use the public cert as a test
config global
config system global
set admin-server-cert starcert
end
Now when I https://<FQDN of Firewall>
I get the firewall Login Page without any certifcate error
Looking at the Certifcate returned in IE I see the correct public cert, and when I click on certifcation chain I see ALL the certs in the chain - no issues!!
Now I configure SSL-VPN to use the starcert
Then I https://<FQDN of Firewall:10443/remote>
I get a certifcate error!!
When I check the returned certificate the CORRECT public cert has been returned!! The failure indicates I have a valid name, and the name matches the web site I am browsing but that the certificate cannot be verified!
The issue is that the CERTIFCATE CHAIN has NOT been returned, most notably the intermediate certifcate has not been returned. Hence IE cannot verify the complete chain and it complains! The SSL specificate allows for the server to return not only the SSL certifcate but all certificates in the chain.
The FortiGate correctly returns all certifcates in the chain when browsing to the admin port, but only returns the SSL certificate when browsing to the SSL-VPN port.
Of course I could just go ahead and install the DigiCert intermediate authority on my PC and the error will go away.
But that defeats the purpose of the public certificate, and creating the seamless experience that I was after.
Has anyone:
(a) Come across this before
(b) Know of a way to correct it (!)
(c) Point out what I am doing wrong (?!!?)
Thanks in advance,
VirtualG
9 REPLIES 9
Not applicable
Created on ‎10-09-2007 04:31 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
this was quite some time ago, did you manage to find an answer to this? Because I' m having the exact same problem.
I' m not using the latest release of FortiOS, but before upgrading it would be nice to know if it actually fixes the problem. I' ve searched through all the documentation I could find and I can' t find anything about intermediate certificates at all.
Anyone else managed to install a Verisign certificate for VPN-SSL? And in that case how did you get the certificate chain to work?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jonas,
Unfortunately I do not have a solution to this problem. Current OS still exhibits this behaviour.
Makes a public certificate virtually worthless for SSL-VPN connectivity because you must install the ' chain' on each machine that is going to use the SSL-VPN first.
You would think that Fortinet QA would have picked this one up?!
Cheers,
Graham.
Not applicable
Created on ‎10-09-2007 06:59 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oddly enough.. it works for me now.. and I don' t think I did anything besides wait a few hours.
I' m running build0483 on a 300A.
The last change I did was to extract Verisigns root certificate from IE and upload that to the Fortigate, then I also changed from the real certificate to the built-in on the vpn-ssl configuration page, applied, and changed back.
After this I tried again without success. Either I had to wait, for some unknown reason. Or i forgot to close down the browsers before i tried again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems to fail only if there is an INTERMEDIATE certificate required, and that INTERMEDIATE certificate is not trusted by your client by default.
Meaning you have:
Root CA -> Intermediate CA -> Your Certificate
Even if you upload Your Certificate (Private Key), the Intermediate CA (Public Key), and the Root CA (Public Key) to the Fortinet, the fortinet will not return Your Certificate (Public Key) - Intermediate CA (Public Key) - Root CA (Public Key) when you browse to it using the REMOTE (SSL VPN) web page. It will return the entire chain when you browse to say the administration web page on the fortinet.
The issue will be visible to the client if:
The certificate you use has an intermediate CA, and that intermediate CA is unknown to the client. In this situation the client will be unable to confirm the authenticity of your certificate because it will only know the Root CA, and your Certificate and cannot verify the complete chain.
It sounds like your certificate does not have an intermediate CA, hence the bug I have described does not apply to you.
e.g. Root CA -> Your Certificate = OK
or Root CA (Trusted on client) -> Intermediate CA (Trusted on client by default) -> Your Certificate = OK
but Root CA (Trusted on client) -> Intermediate CA (NOT trusted on client) -> Your Certificate (Not trusted on client) = Failure when using SSL-VPN web site.
Cheers.
Not applicable
Created on ‎10-10-2007 03:39 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do have an intermediate CA.. Verisign started using them last year or so.. the new certificates I' ve gotten from them has been with an intermediate.
I uploaded the Certificate to " Local certificates" and the intermediate and verisigns root cert to " CA Certificates" ..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This may not work, as the FG box doesn' t support intermediate root CA' s.
You have to acquire a SSL cert that doesn' t use an intermediate.
Regards, Eric.
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Eric,
Well the FG sort of supports intermediate certs. It does for the administration certificate (there it will correctly return all certificates in the chain to the browser), but not for the SSL-VPN web site - It will not return the intermediate certificates even though they have been uploaded to the FG :-(
So, I guess, " It doesn' t support" is sort of right - but it is still a bug!
I am confused that Jonas seems to imply he has this working. I would suspect that his browser already has the intermediate certificate in its trusted CA or trusted intermediate certificates store on his client, hence even though the FG SSL-VPN web site does not return the intermediate certificates his computer already knows about them, hence it works - just a guess.
It is interesting that many SSL certificate vendors are releasing certificates that have intermediatories now. About time FG started following the SSL standard?
;-)
(I would be more than happy to be wrong about this, if someone could point out what I am doing wrong that would be great!).
Cheers!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It depends on what you call working and supporting.
It all has to do with the way PKI - certs work. As there is no seperate tab for intermediate root certs, it is not supported.
If you load the intermediate cert in your browser from which you are connecting then you may have no issue.
Furthermore more and more SSL vendors are moving away from intermediate certs. You can buy a basic ssl cert from Equifax for as little as 30-40$ per year. (No intermediate).
Cheers, Eric
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Not applicable
Created on ‎10-11-2007 06:24 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
seems i spoke too soon..
i dont have any complains from the browser about the certificate as i said earlier.. but i can' t get the tunnel to connect after i changed the url to the certificate url, instead of going to the ip-address.
i can make it all work if i connect to the ip-address, connects fine etc, but ofcourse it complains about the certificate not being for that url.
if i connect to the certificate url in firefox it will show the activex plugin, but refuse to connect the tunnel. in IE it just wont load the page, keeps loading forever.
only thing i figured was that it might have to do with me installing the plugin from the IP-address and not the url, so i' ve tried uninstalling it. since the " uninstall" button doesn' t do much, i managed to find the files that got installed to firefox and deleted them by hand. still no go, even though i get to install the plugin anew, it still behaves the same way. changing back and connecting to the IP, and it works.
Eric, as for FG not supporting intermediate certificates, is this something you know or just assume by the lack of a tab? i' ve seen quite a few firewalls/routers etc that doesn' t have a specific tab to load an intermediate, you go around it by joining the site-certificate and intermediate into one file, or similar.
Labels
-
FortiGate
10,532 -
FortiClient
2,141 -
FortiManager
886 -
5.2
687 -
FortiAnalyzer
675 -
5.4
638 -
FortiSwitch
581 -
FortiAP
558 -
FortiClient EMS
553 -
6.0
416 -
IPsec
414 -
SSL-VPN
373 -
FortiMail
371 -
5.6
362 -
FortiNAC
278 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
169 -
FortiGuard
159 -
5.0
152 -
Firewall policy
142 -
6.4
128 -
FortiGate-VM
127 -
FortiCloud Products
116 -
FortiSIEM
113 -
FortiGateCloud
112 -
FortiToken
111 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
74 -
SAML
71 -
DNS
71 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
68 -
BGP
67 -
Authentication
66 -
Certificate
64 -
RADIUS
59 -
LDAP
58 -
SSO
54 -
fortilink
54 -
FortiSandbox
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
SNMP
25 -
SSID
25 -
Static route
25 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiRecorder
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2561 | |
| 1357 | |
| 796 | |
| 650 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.