Fortinet black logo

Administration Guide

Wrong certificate selected

Wrong certificate selected

Similar to the error in No connection, the connection progress stops at 48% and Credential or SSLVPN configuration is wrong (-7200) displays.

To troubleshoot authentication errors, enable fnbamd debugs on the FortiGate:

diagnose debug enable

diagnose debug application fnbamd -1

Reconnect to the VPN and observe the debugs. If a wrong certificate is selected, the following places may indicate as such:

[320] fnbamd_chain_build-Extend chain by system trust store. (no luck)

[352] fnbamd_chain_build-Extend chain by remote CA cache. (no luck)

When verifying the certificate, there is no certificate chain back to the certificate authority (CA). This indicates one of the following:

  • CA certificate was not installed on the FortiGate.
  • Wrong client certificate is being used to connect.

This output indicates that the certificate subject field identifies a user called Tom Smith. This indicates that a user certificate is likely being used rather than a machine certificate:

[366] peer_subject_cn_check-Cert subject 'DC = info, DC = fortiad, OU = Sales, CN = Tom Smith, emailAddress = tsmith@ztnademo.com'

Wrong certificate selected

Similar to the error in No connection, the connection progress stops at 48% and Credential or SSLVPN configuration is wrong (-7200) displays.

To troubleshoot authentication errors, enable fnbamd debugs on the FortiGate:

diagnose debug enable

diagnose debug application fnbamd -1

Reconnect to the VPN and observe the debugs. If a wrong certificate is selected, the following places may indicate as such:

[320] fnbamd_chain_build-Extend chain by system trust store. (no luck)

[352] fnbamd_chain_build-Extend chain by remote CA cache. (no luck)

When verifying the certificate, there is no certificate chain back to the certificate authority (CA). This indicates one of the following:

  • CA certificate was not installed on the FortiGate.
  • Wrong client certificate is being used to connect.

This output indicates that the certificate subject field identifies a user called Tom Smith. This indicates that a user certificate is likely being used rather than a machine certificate:

[366] peer_subject_cn_check-Cert subject 'DC = info, DC = fortiad, OU = Sales, CN = Tom Smith, emailAddress = tsmith@ztnademo.com'