FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes that the certificate error is always present on HTTPS websites blocked by FortiGate when doing SSL inspection without having the FortiGate CA certificate imported.
The reason for that is, that when a secured website is accessed (f.e. https://www.youtube.com) the YouTube certificate guarantees that the content of the website is safe (as it is signed by a Certificate Authority that is trusted by the browser). However, when the firewall intercepts the SSL traffic to modify the content shown at https://www.youtube.com it will not be able to sign the modified content with the original CA as the firewall does not have a private key of the original CA.
Therefore, the changed content (i.e. FortiGate replacement page) needs to be signed by its own CA certificate and if the browser does not trust it, instead of the replacement page, the user will see the certificate error.
To remove the certificate error, there are two possibilities:
The user will import the FortiGate CA certificate into the browser's 'Trusted Root Certification Authorities' store.
If there is a CA certificate (including the private key) that is trusted in the network/domain (by browsers), it is possible to import it to the FortiGate and use it for the replacement messages.
The related articles below show how to import the CA certificate.
After the import to utilize this certificate for replacement page signing:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.