FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 191051



This article describes that the certificate error is always present on HTTPS websites blocked by FortiGate when doing SSL inspection without having the FortiGate CA certificate imported. 


The reason for that is, that when a secured website is accessed (f.e. the YouTube certificate guarantees that the content of the website is safe (as it is signed by a Certificate Authority that is trusted by the browser). However, when the firewall intercepts the SSL traffic to modify the content shown at it will not be able to sign the modified content with the original CA as the firewall does not have a private key of the original CA. 


Therefore, the changed content (i.e. FortiGate replacement page) needs to be signed by its own CA certificate and if the browser does not trust it, instead of the replacement page, the user will see the certificate error.



To remove the certificate error, there are two possibilities:


  1. The user will import the FortiGate CA certificate into the browser's 'Trusted Root Certification Authorities' store.
  2. If there is a  CA certificate (including the private key) that is trusted in the network/domain (by browsers), it is possible to import it to the FortiGate and use it for the replacement messages.
The related articles below show how to import the CA certificate.
After the import to utilize this certificate for replacement page signing:
config user setting
    set auth-ca-cert <your_CA>


Related Articles:

Technical Tip: How to import the CA certificate for full SSL inspection

Technical Tip: Installing Private CA for Deep inspection