Skip to main content
husain
husain
New Member
August 20, 2019
Question

Root certificate not installed

  • August 20, 2019
  • 5 replies
  • 59589 views

Hi All

 

I face problem with one computer in my network, Internet not working in many sites and show me this message: 

A root certificate for "Fortinet" is required but isn’t installed 

 

I tried with google chrome, Internet explorer, and Edge .. But I face same problem in all browsers.

 

Any suggestion?

 

Thank you

    5 replies

    husain
    husainAuthor
    New Member
    August 20, 2019

    solved 

    MichaelS
    MichaelS
    New Member
    November 29, 2022

    Do you mind sharing the fix?

    mzainuddinahm
    Staff & Editor
    mzainuddinahm
    Staff & Editor
    November 29, 2022

    Hello MichaelS,

     

    This mostly happens when Deep Inspection is used in the firewall policy & if the Client does not recognize the certificate coming from the Fortigate. Can you elaborate more about the issue with firmware version, policy details, UTMs used etc.?

     

    Best Regards,

    Mohammed Ahmed

    bigkeoni64
    bigkeoni64
    Explorer II
    September 13, 2022

    Hello - I am experiencing this same issue at 6.4.6 - can you tell us how you solved it? I have multiple people reporting this issue.

     

    Thanks...

    bigkeoni64_0-1663036329831.png

     

     

    gfleming
    Staff
    gfleming
    Staff
    September 13, 2022

    You need to download the root certificate from the FortiGate and install it on the endpoint's certificate store and mark it as trusted. 

     

    Ideally you install your own certificate from your own trusted PKI and do it that way.

     

    Lots of good info here:

    https://docs.fortinet.com/document/fortigate/7.0.6/administration-guide/122078/deep-inspection

     

    And here: https://docs.fortinet.com/document/fortigate/7.2.0/best-practices/598577/ssl-tls-deep-inspection

     

    And here: https://docs.fortinet.com/document/fortigate/6.2.11/cookbook/680736/microsoft-ca-deep-packet-inspection

    bigkeoni64
    bigkeoni64
    Explorer II
    September 13, 2022

    Interesting, I wonder how this could have changed since my client had not done anything. All I did was an upgrade from 6.2.7 > 6.4.6 per the upgrade path.

     

    Is it possible that the Cert. could have expired?

    bigkeoni64
    bigkeoni64
    Explorer II
    September 13, 2022

    I do thank you for passing on this info. Certificates are not my strong suit.

    mzainuddinahm
    Staff & Editor
    mzainuddinahm
    Staff & Editor
    September 13, 2022

    Hello @bigkeoni64,

     

    I believe you are experiencing the issue as described here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Expiring-Let-s-Encrypt-Certificates/ta-p/198419

    Known issue in 6.4.7: https://docs.fortinet.com/document/fortigate/6.4.7/fortios-release-notes/236526/known-issues - 750551

     

    further check the website you are visiting, shows expired:

    DST Root CA X3 - https://www.ssllabs.com/ssltest/analyze.html?d=corehotelsandresorts.com

     

    Kindly visit the KB & apply the provided workarounds. The issue was fixed from 6.4.8, 7.0.4 & 7.2.0

     

    Regards,

    Mohammed Ahmed

      bigkeoni64
      bigkeoni64
      Explorer II
      September 13, 2022

      We will be going to 6.4.8 > 6.4.9 tonight

      It appears by going to flow-based instead of proxy-based on the policy did the trick for a work around.

       

      Is there a reason why you wouldn't want to use flow based ALL the time?

      mzainuddinahm
      Staff & Editor
      mzainuddinahm
      Staff & Editor
      September 14, 2022

      You may choose between flow-based & proxy-based as per your requirement. A quick glance can be done here: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/721410/about-inspection-modes

        Terms & ConditionsAccessibility statement