Adding a trusted certificate for FortiSSLVPN in NetworkManager

I needed to connect to a Fortinet SSLVPN, but the certificate on it had expired. While the official Mac client prompts and lets you connect anyways, Linux with NetworkManager (and the FortiSSLVPN plugin) would refuse without providing any messages. Unfortunately, I couldn’t ask the administrator to renew the certificate. What you can do is add the certificate as a trusted certificate for that VPN. Unfortunately, the interface to do this is unclear, so I’ll try to explain it here.

Run the following command to get the SHA256 hash of the certificate, substituting the server and port for the one your VPN uses. What these commands do is get the remote certificate, extract the raw DER binary form, and hash it.

openssl s_client -showcerts -servername server -connect server:port < /dev/null | openssl x509 -outform DER | sha256sum

These steps will apply for Gnome’s network settings, though the principles are the same across most NetworkManager frontends. (If you don’t mind the raw configuration, it’d be trusted-cert in vpn.data.) Go to your VPN’s settings. On the identity tab, click the advanced button. Enter the hash into the trusted certificate text box and save. You should be able to connect now, and like me, wonder why the interface for this was so obscure.

Leave a Reply

Your email address will not be published. Required fields are marked *