Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
DPadula
Staff
Staff

Created on ‎11-20-2023 09:18 PM

Article Id 285204

Troubleshooting Tip: Restarting sslvpnd process after installing root CA certificate

Description

This article describes one of the possible reasons why the certificate chain seems broken even if the root certificate is installed.

If the System -> Certificate configuration page is checked, root and local certificates are installed. but if trying to use openssl command to check the certificate chain, the chain is not complete as it should be.

 

Certificates installed 01.png

 

Make sure to have the right certificate configured under VPN -> SSL-VPN Settings:

 

VPN_SSL-VPN Settings.png

 

Check the certificate chain via the openssl command:

 

C:\Users\fortinet> openssl s_client -showcerts -connect lab.testlab.com.au:443
CONNECTED(000001B4)
depth=0 CN = *.testlab.com.au
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.testlab.com.au
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = *.testlab.com.au
verify return:1
---
Certificate chain
0 s:CN = *.testlab.com.au
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 11 00:00:00 2023 GMT; NotAfter: Oct 10 23:59:59 2024 GMT
-----BEGIN CERTIFICATE-----
Scope FortiGate.
Solution

Restart the sslvpnd process using the fnsysctl command:

 

fnsysctl killall sslvpnd

 

Restarting sslvpnd.JPG

 

After that, the certificate chain should be shown as complete by the openssl command:

 

C:\Users\fortinet> openssl s_client -showcerts -connect lab.testlab.com.au:443
CONNECTED(000001B4)
depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.testlab.com.au
verify return:1
---
Certificate chain
0 s:CN = *.testlab.com.au
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 11 00:00:00 2023 GMT; NotAfter: Oct 10 23:59:59 2024 GMT
-----BEGIN CERTIFICATE-----

 

Related document:

OPENSSL 
1145
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.