FortiClient's inability to trust the SSL certificate

What is the name of the domain?

What is the issue you’re encountering

FortiClient’s inability to trust the SSL certificate being used by the FortiGate VPN or other Fortinet systems.

What steps have you taken to resolve the issue?

None yet… Looking for possible solutions?

Problem:
SSL Certificate Warning: When users are logging in remotely, their devices are receiving warnings because the SSL certificate used by the FortiGate device isn’t trusted by their browser or operating system. This might happen with self-signed certificates or certificates issued by an untrusted certificate authority.

Managed Certificate Issue: Since you’re using a managed SSL certificate (such as one managed by a hosting provider or another service), you can’t directly access or provide the certificate to Fortinet for installation.

Possible Solutions:

  1. Obtain the Root or Intermediate CA Certificate
    If the SSL certificate is from a managed service, it’s likely that the certificate chain includes a root certificate or intermediate certificate issued by a CA. Here’s what you can do:

Ask for the CA certificate from your managed provider. While you may not have access to the SSL certificate itself, most CAs provide the root and intermediate certificates publicly (these are typically found on the CA’s website).

Provide the CA certificate to the Fortinet team. Once they install the root and/or intermediate CA certificate into their FortiGate device, the security warnings should disappear. The certificate chain will be validated correctly, and users will no longer see warnings.

  1. Configure FortiGate to Use a Trusted SSL Certificate
    If the Fortinet team has access to the certificate store on the FortiGate:

Install a trusted SSL certificate from a public certificate authority (CA). If your FortiGate is using a self-signed certificate, replacing it with a trusted SSL certificate (from a CA like Let’s Encrypt, DigiCert, or others) will solve the issue.
Request a custom certificate from the managed provider: If possible, reach out to your managed service provider and ask if they can generate a custom SSL certificate for your Fortinet setup. This way, the certificate can be installed directly on the FortiGate device without compatibility issues.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full

What are the steps to reproduce the issue?

SSL/TLS encryption
Current encryption mode:
Full

How do I obtain the Root or Intermediate CA Certificate from Cloudflare?

May I ask if you’re having the HTTP(s) traffic filter enabled at FortiGate, therefore it doesn’t allow you and prevents you to open a specific Website? :thinking:

May I ask if you’ve created an Cloudflare Origin CA SSL certificate for your vpn.fortigate.com hostname in the Cloudflare dashboard and imported it and want to use it at FortiGate? :thinking:

If so, you might have to add the Cloudflare CA root certificate as well, either as a separated or as a bundle.

However, not quite sure what’s available to you due to the FortiOS version differences.

Furthermore, you’d have to make sure the vpn.fortigate.com DNS record is proxied :orange: , therefrom the SSL/TLS settings are set to Full (Strict).

The Cloudflare Origin CA certificate which you’d like to use for HTTP(S) traffic (to access the login page of the router, etc.), would show as “untrusted” in Web browsers only for unproxied :grey: DNS records, since it’s actually a self-signed one.

Are you trying to use it for FortiClient VPN client? I’d use the IP directly instead.

Otherwise, if it’s related to something else, please feel free to add the additional feedback in the further replies.

Thank you for your quick reply.
I will get in touch with the Fortinet provider about your questions.

These are the current DNS settings.

Thank you for feedback.

Furthermore, from the shared screenshot, I can see, however if you’re trying to use the Cloudflare Origin CA certificate for your E-mail client (like Outlook), unfortunately it won’t work since it only applies and works with Web (HTTP-HTTPS) traffic.

More about this could be read at the article from below:

1 Like