NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Not applicable
Article Id 206753
Description This article describes how to solve one of the cases where PA does not communicate with FortiNAC server.
Scope FortiNAC v8.8.x ,v9.1.x, v9.2.x, 9.4.x, FortiNAC-F v7.2.x.
PA 5.3.x, Persistent agent v9.4.x

In this case, indicators of this failure condition can be checked in the PA logs in the general.txt file.


The logs when the intermediate certificate is missing in FortiNAC would look like this:


2022-03-12 10:09:25 UTC :: SSL Certificate verification result: unable to get local issuer certificate
2022-03-12 10:09:25 UTC :: peer fingerprint: e8:63:0b:de:14:2a:89:b1:e5:57:9c:36:0b:c2:24:c2:94:37:73:b4


2022-03-12 10:09:25 UTC :: peer CommonName = fortinac.fortinet.lab
2022-03-12 10:09:25 UTC :: SAN: fortinac.fortinet.lab
2022-03-12 10:09:25 UTC :: Checking Peer name fortinac.fortinet.lab against Common or Subject-alternative-name entry fortinac.fortinet.lab
2022-03-12 10:09:25 UTC :: Peer name "fortinac.fortinet.lab" matches "fortinac.fortinet.lab"
2022-03-12 10:09:25 UTC :: Refusing to connect to trust_DISTRUSTED fortinac.fortinet.lab|fortinac.fortinet.lab|e8:63:0b:de:14:2a:89:b1:e5:57:9c:36:0b:c2:24:c2:94:37:73:b4
2022-03-12 10:09:25 UTC :: Connection failed! 1


In this case, root CA is installed correctly in the endpoint, and it trusts the PA server certificate but the trust chain is not completed, because of the missing intermediate certificate that comes with the server certificate.

This in the end will result in a distrusted condition and the PA connection the FortiNAC server will fail 




In this case, the solution would be to upload again the server certificate alongside the

intermediate certificate in one single step in the PA Target.


It is possible to add the intermediate certificate by simply selecting the 'Add Certificate' button. 

This will complete the certificate chain and trust will be established among end stations and the FortiNAC server.





This article is about cases when the PA server certificate obtained from a CA comes along with an intermediate certificate. To check if the certificate has an intermediate certificate, it is necessary to check the path of the certificate in the certificate details itself.



There are cases when the server certificate comes directly from the root CA without passing through intermediate CA nodes. In this case, only the server certificate needs to be uploaded in FortiNAC and the root certificate to be installed in the end stations.


Related articles :

Persistent Agent

Technical Tip: Troubleshooting the Persistent agent

Troubleshooting Tip: Windows Persistent Agent logs