ZTNA certificate serial number mismatch 7.0.7
Each time that FortiClient registers to EMS, EMS provisions a new zero trust network access (ZTNA) device certificate to the endpoint. The new certificate may assign a new serial number (SN) to the endpoint. In this scenario, a browser-initiated ZTNA session may continue to use the cached ZTNA certificate key with the old SN.The SN of the FortiClient certificate on the endpoint was incorrect and differed from the ZTNA SN that EMS displayed. This resulted in ZTNA client certificate authentication failing due to the certificate mismatch, as FortiOS received the record from EMS.
To resolve this issue, EMS resends the old SN to FortiClient. FortiClient checks if the SN matches with its SN. If the SNs match, FortiClient does not send a new certificate request. If the SNs do not match, FortiClient sends a new certificate request to resolve the mismatch.
FortiClient and EMS retain the same ZTNA certificate as long as FortiClient is connecting and reconnecting to the same EMS server. The described mismatch occurs if FortiClient deregisters, then registers to a new EMS.
The following describes this scenario:
- The user registers FortiClient to EMS. The Windows certificate store receives the ZTNA certificate. In the Microsoft Management Console (MMC), go to Certificates - Current User > Personal > Certificates. Confirm that the ZTNA certificate displays.
- The user connects to a browser with ZTNA using a web proxy. MMC continues to display the ZTNA certificate.
- The user deregisters FortiClient from EMS. MMC continues to display the ZTNA certificate. In this scenario, the user did not close the browser. The browser still has the session ticket that the FortiOS access proxy sent cached.
- The user reregisters to EMS. EMS resends the SN to FortiClient. FortiClient attempts to match this SN with the saved SN. As these SNs match, FortiClient does not send a new certificate request. Browser sessions continue to work.
- The user deregisters FortiClient from EMS and reregisters to another EMS server. The new EMS server sends its SN to FortiClient. FortiClient attempts to match this SN with the saved SN. As these SNs do not match, FortiClient sends a new certificate request.
- The user uninstalls FortiClient from the endpoint. The uninstall removes the SN from logs and the certificate from the certificate store.
Logs have been updated for this feature to include the SN:
- In endpoint logs, the ZTNA certificate SN functionality has been added to FortiEsnac logs in
FCKARPLY
andFCREGRPLY
in C:\Program Files\Fortinet\FortiClient\logs\trace:[FortiESNAC 928 debug] REPLY=FCKARPLY: CONT|1|EMSSN|FCTEMS8822090184:WIN-H0CJAOMVVTR|UPLD_PRT|8013|KA_INTERVAL|20|LIC_FEATS|6224895|LIC_ED|1680159600|AUTH_PRD|0|SNAPTIME|0|QUAR|0|AVTR|1|AV_SIG|90.04285|SERIAL|<serial number>|EMS_ONNET|0|RUN_SRV_CMD|4096|WF_PAGE_URL|eddyfct.ems.com:10443/wfcustompages/default/webfilter_custom_pages.enc|WF_CHKSM|65bc4c8aef2d9219ff5743d91a754a0e36ac0dd2c9501cb1e30eae22225|TAGS|00000000000
[FortiESNAC 636 debug] REPLY=FCREGRPLY: REG|0-FCTEMS8822090184:45:WIN-H0CJAOMVVTR:default:20:43230:1:8:227|AV_SIG|90.04285|AUTH_PRD|0|LIC_FEATS|6224895|LIC_ED|1680159600|SOFT_CRC|2|TOKEN|D9D8D261-2177-4539-B755-4351FE29F28C|SERIAL|<serial number>|EMS_ONNET|0|ZFGTIP|eJydkcFOwzAMhu88RdQ7TQOCTcjLXmCcxr0KiRtFSp0pcQd7e7JVE0h0HLjZv3...
- In EMS logs, the ZTNA certificate SN functionality has been added to FCMDaemon log in
FCKARPLY
andFCREGRPLY
in C:\Program Files (x86)\Fortinet\FortiClientEMS\logs:result: CC3F3949FC6E4D91BD2399207988680A - FCREGRPLY: REG|0-FCTEMS8822090184:45:WIN-H0CJAOMVVTR:default:20:43230:1:8:227|AV_SIG|90.04285|AUTH_PRD|0|LIC_FEATS|6224895|LIC_ED|1680159600|SOFT_CRC|2|TOKEN|DD2AA1F4-5CE8-437A-953D-A133B4C28C19|SERIAL|<serial number>|EMS_ONNET|0|ZFGTIP|eJydkcFOwzAMhu88RdQ7TQOCTcjLXmCcxr0KiRtFSp0pcQd7e7JVE...
result: CC3F3949FC6E4D91BD2399207988680A - FCKARPLY: CONT|1|EMSSN|FCTEMS8822090184:WIN-H0CJAOMVVTR|UPLD_PRT|8013|KA_INTERVAL|20|LIC_FEATS|6224895|LIC_ED|1680159600|AUTH_PRD|0|SNAPTIME|0|QUAR|0|AVTR|1|AV_SIG|90.04285|SERIAL|<serial number>|EMS_ONNET|0|RUN_SRV_CMD|4096|WF_PAGE_URL|eddyfct.ems.com:10443/wfcustompages/default/webfilter_custom_pages.enc|WF_CHKSM|65bc4c8aef2d9219ff5743d91a754a0e36ac0dd2c9501cb1e30eae22225|TAGS|00000000000|