Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vifi
Staff
Staff

Created on ‎09-18-2025 05:16 AM

Article Id 411396

Technical Tip: FortiGate is not including AKID when resigning certificates during deep inspection

Description This article describes why FortiGate is not including Certification Authority Key ID (AKID) when resigning certificates during SSL deep inspection.
Scope FortiGate.
Solution

When FortiGate is performing SSL deep inspection on both flow mode and proxy mode, the resigned server certificate sent by the FortiGate to the end user is missing the Certification Authority Key ID (AKID).
As a result, the end user is receiving certificate warning.

When opening the certificate, the Certification Authority Key ID is not observed:

 

Authority key id.png

 

As per RFC5280 section 4.2.1.1:

The keyIdentifier field of the authorityKeyIdentifier extension must be included in all certificates generated by conforming CAs to facilitate certification path construction.

 

This issue has been fixed in the following FortiOS versions:

  1. When firewall policy is in proxy mode or when explicit web proxy is being used, the issue:983997 has been fixed in FortiOS versions 7.2.11 and 7.4.8.
  2. When the firewall policy is in flow mode, the issue 1181573 has been resolved in FortiOS version 7.6.4.
23
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.