FortiGate runs the following checks before it trusts the certificate:

- Checks the CRLs locally (on FortiGate) to verify if the certificate has been revoked by the CA.

If the serial number of the certificate is listed on the CRL, then the certificate has been revoked and it is no longer trusted.

FortiGate also supports Online Certificate Status Protocol (OCSP), where FortiAuthenticator acts as the OCSP responder.

- Reads the value in the Issuer field to determine if it has the corresponding CA certificate.

Without the CA certificate, FortiGate does not trust the certificate. FortiOS uses the Mozilla CA certificate store.

It is possible to view the list by selecting Security Profiles -> SSL Inspection -> View Trusted CA List -> Factory Bundles.

- Verifies that the current date is between the Valid From and Valid To values.

If it is not, the certificate is rendered invalid.

- Validates the signature on the certificate.

The signature must be successfully validated.

Because a valid signature is a critical requirement for trusting a certificate, it may be useful to review how FortiGate verifies digital signatures.