Exam FCSS_LED_AR-7.6 Topic 3 Question 8 Discussion
Actual exam question for Fortinet's FCSS_LED_AR-7.6 exam
Question #: 8
Topic #: 3
Question #: 8
Topic #: 3
Refer to the exhibits.
Which include debug output and SSL VPN configuration details.
An SSL VPN has been configured on FortiGate. To enhance security, the administrator enabled Required Client Certificate in the SSL VPN settings. However, when a user attempts to connect, authentication fails.
Which configuration change is needed to fix the issue and allow the user to connect?
Which include debug output and SSL VPN configuration details.
An SSL VPN has been configured on FortiGate. To enhance security, the administrator enabled Required Client Certificate in the SSL VPN settings. However, when a user attempts to connect, authentication fails.
Which configuration change is needed to fix the issue and allow the user to connect?
Suggested Answer: D Vote an answer
The SSL-VPN configuration hasRequire Client Certificateenabled. When this is enabled, FortiOS performs two checks:
* Normal user authentication(username/password or PKI user)
* Additional client certificate check- the client certificatemust be signed by a CA that FortiGate trusts FortiOS documentation for "SSL VPN with certificate authentication" states:
* "The client certificate only needs to be signed by a known CA in order to pass authentication."
* "The CA certificate is the certificate that signed both the server certificate and the user certificate...
The CA certificate is available to be imported on the FortiGate."
The debug output shows key lines:
* __quick_check_peer-CA does not match.
* Issuer of cert depth 0 is not detected in CMDB.
This tells us:
* FortiGatedoes see the user's certificate,
* Butcannot find the issuing CAin its local CA certificate store ("CMDB" = configuration database).
This means theCA that signed the user certificate has not been importedinto FortiGate.
Now evaluate the options:
* A. Enable Redirect HTTP to SSL-VPN- affects only redirection from HTTP to HTTPS; it has nothing to do with certificate validation.
* B. Import the CA that signed the SSL VPN Server Certificate- the server certificate is already working (the portal comes up) and its CA is not what the debug complains about; the error is about the peer (user) certificate. Often the same CA signs both, but the failing check specifically says the issuer of the client cert is not in CMDB.
* C. Set the user certificate as the Server Certificate- incorrect; server and client certificates serve different roles.
* D. Import the CA that signed the user certificate to FortiGate- this directly addresses the debug error and aligns with the documented requirement that the CA which issued the user certificate must be known to FortiGate.
* Normal user authentication(username/password or PKI user)
* Additional client certificate check- the client certificatemust be signed by a CA that FortiGate trusts FortiOS documentation for "SSL VPN with certificate authentication" states:
* "The client certificate only needs to be signed by a known CA in order to pass authentication."
* "The CA certificate is the certificate that signed both the server certificate and the user certificate...
The CA certificate is available to be imported on the FortiGate."
The debug output shows key lines:
* __quick_check_peer-CA does not match.
* Issuer of cert depth 0 is not detected in CMDB.
This tells us:
* FortiGatedoes see the user's certificate,
* Butcannot find the issuing CAin its local CA certificate store ("CMDB" = configuration database).
This means theCA that signed the user certificate has not been importedinto FortiGate.
Now evaluate the options:
* A. Enable Redirect HTTP to SSL-VPN- affects only redirection from HTTP to HTTPS; it has nothing to do with certificate validation.
* B. Import the CA that signed the SSL VPN Server Certificate- the server certificate is already working (the portal comes up) and its CA is not what the debug complains about; the error is about the peer (user) certificate. Often the same CA signs both, but the failing check specifically says the issuer of the client cert is not in CMDB.
* C. Set the user certificate as the Server Certificate- incorrect; server and client certificates serve different roles.
* D. Import the CA that signed the user certificate to FortiGate- this directly addresses the debug error and aligns with the documented requirement that the CA which issued the user certificate must be known to FortiGate.
by Prima at Mar 12, 2026, 10:07 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).