Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
STOLLERXD
New Contributor II

Created on ‎03-17-2022 03:01 AM

FORTIGATE | This Connection is Invalid. SSL certificate expired.

Hello all. 

 

i've problem with my ssl certificate on my fortigate below design before explain you problem . 

 

STOLLERXD_0-1647510103713.png

 

Since home, i try to connect to my switch office (cisco switch SG-250) by using ssl vpn. but it's not working i've the message bellow 

 

STOLLERXD_1-1647510216204.png

 

i look for on internet and one way to resolve that, it to allow invalid cerfiticate. i do it and now it's working but not secure. 

I want to resolve without allow invalid certificate how can i make it. 

 

Labels:
30364
5 REPLIES 5
Debbie_FTNT
Staff
Staff

Created on ‎03-17-2022 03:29 AM

Hey Stoller,

is that certificate on the FortiGate or Cisco Switch?

The best way would probably be to replace it with a valid certificate.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
30302
AlexC-FTNT
Staff
Staff

Created on ‎03-17-2022 03:54 AM

FortiGate includes a self-signed default certificate (which is not trusted by a CA, and can't be verified by browsers). This means that if Fortigate is encrypting this connection, it will not be trusted in another browser. To prevent that, you need to install a 3rd party certificate (not sold by Fortinet).

Some documents that may help:
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-avoid-certificate-error-message-by...
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/565000/preventing-certificate-warnings-d...


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
30300
0 Kudos
STOLLERXD
New Contributor II
In response to AlexC-FTNT

Created on ‎03-20-2022 07:06 AM

thanks alex

30231
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-17-2022 01:08 PM Edited on ‎03-17-2022 01:09 PM

You're accessing the SG-250 (very old switch) via GUI(HTTPS) and its certificate has been expired long time ago. The FGT is just in the middle and checking the certificates (as you configured) coming from the server(SG-250) side and found it invalid. If you don't want to make FGT ignoring invalid certificates, your options are one of these:
1. As Alex says, get a proper certificate signed by one of common CAs and import/install it to the SG-250 [the best option among these]

2. Stop using GUI/HTTPS to manage the SG-250. CLI/SSH or HTTP would be the options.

3. Cisco might have an updated default cert. Ask their community.

 

Toshi

30274
STOLLERXD
New Contributor II
In response to Toshi_Esumi

Created on ‎03-20-2022 07:09 AM

thanks so much toshi. it's more clear. i will try to use option 1 and back to you soon

30230
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.