The Certificate Warning can be avoided using the procedure mentioned below, only for the HTTP to HTTPS Redirection Authentication Traffic. For this, use the same *.example.com wildcard certificate, which is in the Local Certificate Store. This example follows all the steps required to create and install a local certificate on the FortiGate unit, without using CA software.

To generate a certificate request on the FortiGate unit - web-based manager:

1. Go to System -> Certificates -> Local Certificates.
2. Select Generate.
3. In the Certificate Name field, enter 'FGT'.
   

Note:
Do not include spaces in the certificate name. This will ensure the compatibility of a signed certificate as a PKCS12 file to be exported later on if required. Since the IP address is private, use the FQDN instead.

4. Select Domain Name, and enter fgt.example.com.
5. Enter values in the Optional Information area to further identify the FortiGate.

• Organization Unit - Support.
• Organization - Example.com.
• Locality (City) - Bangalore.
• State/Province - Karnataka.
• Country - INDIA.
• E-mail - fgt@example.com.
  

6. From the Key Size list, select 2048 Bit or the most secure option available.
7. In the Enrollment Method, select File-Based to generate the certificate request.
8. Select OK. The request is generated and displayed in the Local Certificates list with a status of PENDING.
9.  Select the Download button to download the request to the management computer.
10. In the File Download dialog box, select Save and save the Certificate Signing Request on the local file system of the management computer.
11. Name the file and save it on the local file system of the management computer.
    

Note:
In case using an IP address instead of a FQDN, make sure to include that in the 'Subject Alternative Name' field.
 

Import the SSL certificate into FortiOS and assign it to admin access:

1. Go to System -> Certificates -> Local Certificates.
2. Select Import -> Local Certificate and choose the certificate file.
3. Select OK.
4. To assign the certificate for admin access, navigate System -> Settings -> Administration Settings -> HTTPS server certificate.

In the browser on PC:

1. Add the CA certificate to the browser.
2.  When accessing FortiGate using HTTPS with a domain name (https://fgt.example.com), the users will get the login prompt without a certificate error.
3. Avoid the Certificate Warning using the procedure mentioned below only for the HTTP to HTTPS Redirection Authentication Traffic. For this, use the same *.example.com wildcard certificate, which is in the Local Certificate Store.
4. When identity-based authentication is enabled, when users access HTTPS sites, FortiGate will redirect to https://fgt.example.com:1003 without Certificate Warning.

Note:
Starting from FortiOS v7.2.1, the FortiGate now utilizes the Fortinet_GUI_Server certificate for HTTPS administrative access, which is generated and signed by the built-in Fortinet_CA_SSL certificate. More information can be seen on New default certificate for HTTPS administrative access.

Additional Note:
In some instances, despite the Fortinet_GUI_Server certificate being imported to the administrator's Windows Trusted Root CA store, the FortiGate login page may still show up as 'Not secure'. From Fortinet_GUI_Server certificate being the default HTTPS GUI certificate, try to change it to a different certificate (for example, Fortinet_Factory), then revert it to the original (Fortinet_GUI_Server). More information in this article: Technical Tip: Getting 'Not Secure' warning despite importing Fortinet_GUI_Server certificate for GU....

config system global
    set admin-server-cert Fortinet_Factory
end

config system global
    set admin-server-cert Fortinet_GUI_Server
end

Related article:
Technical Tip: Certificate Error in Admin Access