It is possible to configure a specific certificate chain on both SSL VPN and SSL/SSH Inspection in FortiGate. The configuration steps are different for each instance. These are the steps:

1. Forcing a certificate Chain for SSL VPN: When configuring the SSL VPN portal, it is explicitly possible to select the certificate (which includes the certificate chain) used for SSL VPN connections.

Steps:

Go to System -> Certificates -> Local Certificates and ensure the certificate includes the full chain (leaf + intermediate + root, if needed).

  

 

2. Forcing a Certificate Chain in SSL/SSH Inspection:
   For deep inspection profiles, FortiGate uses a CA certificate to re-sign the intercepted traffic. Must ensure this CA certificate is correctly chained.

Steps:

Go to System -> Certificates -> CA Certificates.

Import the intermediate and root CA properly if the inspection certificate is issued by a non-root CA.

 

 

Go to  Security Profiles -> SSL/SSH Inspection.

Edit the deep inspection profile.

Under the CA Certificate, select the certificate that the FortiGate has to use for re-signing.

Again, make sure the full chain is included in the CA import (not just the issuing cert) if the clients require chain validation.

 

Related article:
Technical Tip: How to import an SSL certificate as a local certificate