Description
This article describes the steps to view the Default Trusted CA certificates, including those that are part of the 'Certificate Bundle' package that is updated via FortiGuard communications.
Scope
FortiGate.
Solution
To view in the GUI, go to Security Profiles -> SSL/SSH inspection and select any SSL/SSH inspection profile from the list.
After, select 'View Trusted CA List'.
In the pane that appears on the right, the trusted CA certificates are visible. This will include CA certificates that are inside the 'Certificate Bundle' (CRDB) package that is automatically updated via FortiGuard.
To view them in the CLI, the following commands can be used to list the trusted CA certificates:
fnsysctl ls -a /etc/cert/ca
Alternatively:
execute vpn certificate ca export tftp ?
<string> local certificate name
ACCVRAIZ1
AC_RAIZ_FNMT-RCM
AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS
ANF_Secure_Server_Root_CA
Actalis_Authentication_Root_CA
AffirmTrust_Commercial
<.....>
To display the details of the current certificate bundle, run the following command in the CLI.
diagnose autoupdate versions | grep -A 7 "Certificate Bundle"
Example Output:
fgt_lab # diagnose autoupdate versions | grep -A 7 "Certificate Bundle"
Certificate Bundle
---------
Version: 1.00059
Contract Expiry Date: n/a
Last Updated using manual update on Tue Aug 12 15:00:00 2025
Last Update Attempt: Tue Sep 16 01:41:01 2025
Result: No Updates
Related articles:
