Skip to main content
rqureshi
Staff
rqureshi
Staff
September 26, 2025

Troubleshooting Tip: FortiGate presenting the wrong Sectigo certificate in the certificate chain

  • September 26, 2025
  • 0 replies
  • 1257 views
Description

This article describes how to resolve an issue where FortiGate presents the wrong digital certificate when using the new Sectigo cross-signed certificate chain.
Scope

FortiGate v7.2, 7.4 (all supported builds).
Solution

Problem:

Sectigo recently began issuing certificates with a new trust chain. When these certificates are imported into the FortiGate certificate store, the device may not serve the correct intermediate certificate in the certificate chain under certain configurations.

This issue is observed specifically when:

  • The FortiGate's SSL profile is set up to do Deep Inspection in 'Protecting SSL Server' mode
  • Policies are configured in proxy mode, and:
  • Flow-based inspection with IPS enabled is applied.

As a result, FortiGate may present an unexpected or incorrect intermediate certificate from the chain.

 

Workaround:

To avoid this issue, apply the following workaround: Use a flow-based policy only, without IPS being enabled.

 

Permanent fix:

The issue is tracked under engineering ticket 1197212, and the fix is available in v7.4.10:2842, v7.6.5:3620, v8.0.0:0071.
      Terms & ConditionsAccessibility statement