Technical Tip: Resolving untrusted certificate issues with FortiGate explicit proxy

Common symptoms:

• The browser shows 'untrusted certificate'/'NET::ERR_CERT_AUTHORITY_INVALID' warnings.
• FortiGate re-signs with Fortinet_CA_Untrusted instead of a trusted CA.
• Specific sites (for example, some Entrust-issued certs, self-signed/internal servers) trigger issues.
• Logs show certificate verification failures, untrusted re-signing, or probe failures.
• In explicit proxy setups, intermittent or site-specific untrusted warnings occur despite valid profiles.

The following steps will help resolve the untrusted certificate issue with FortiGate Explicit Proxy:

• Verify that the CA chain can be established for the specific website.
• The connection to the CA server must not be blocked by the firewall.
• Ensure that the FortiGate is able to verify external CAs. If the CA chain cannot be verified, the fnbamd process may crash, causing the issue.

16373: 2026-02-18 00:53:30 <09508> [0x5587cc18bad0] => /bin/fnbamd {0x5587cb68b000} => __fnbamd_dns_maintainer at ././daemon/fnbamd/fnbamd_dns.c:60 (discriminator 2)

16374: 2026-02-18 00:53:30 <09508> [0x7f2de6461e1d] => /lib/libsysapi.so {0x7f2de609b000} => timer_callback_wrapper at ././migbase/sysapi/daemon/daemon_api.c:19

• Review the FortiGate logs for any errors related to certificate verification. The log message 'Server certificate is re-signed as untrusted, certificate-status: untrusted' indicates a certificate verification issue.
• Run the command 'get vpn certificateca'  to verify the CA certificates installed on the FortiGate.
• If the issue persists, try to import the CA certificate to the FortiGate and verify that it resolves the issue.