Description
This article describes how to fix Subject Alternative Name missing certificate error when accessing FortiGate on HTTPS using OpenSSL.
Solution
Error.
1) Go to OpenSSL bin folder and create req.cnf file. The said file should contain the following.
Note.
In this example, it is located at C:\Program Files\OpenSSL-Win64\bin.
In this example, it is located at C:\Program Files\OpenSSL-Win64\bin.
[req]2) Run openssl.exe and execute the following commands.
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = PH
ST = Metro Manila
L = Taguig
O = Fortinet
OU = TAC
CN = lem.fortiddns.com
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = lem.fortiddns.com
DNS.2 = FG81EPTK190-----9
# req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout fgtcert.key -out fgtcert.pem -config req.cnf -sha256
3) The files will be saved at C:\Program Files\OpenSSL-Win64\bin. Upload the generated files fgtcert.key and fgtcert.pem from GUI: System -> Certificates -> Import -> Local Certificate -> Certificate.
4) Update the server certificate. Go to System -> Settings -> HTTPS Server Certificate and change the HTTPS server certificate using the recently uploaded certificate.
5) On the Windows machine, proceed to download fgtcert.cer and install the certificate at Current User location under Trusted Root Certificate Authorities.
Note.
To access the FortiGate using an FQDN, hence, depending on the domain name which will be used, update the DNS server’s Forward Lookup Zones and add a New Host.
Testing.
To access the FortiGate using an FQDN, hence, depending on the domain name which will be used, update the DNS server’s Forward Lookup Zones and add a New Host.
Testing.
