One of the common certificate warnings a user experiences when connecting to SSL VPN via FortiClient is this:

There are three scenarios where we have experienced this type of certificate warning:

1. When the server certificate used in SSL VPN settings is the factory default certificate. By default, the Fortinet_Factory certificate is used for the SSL VPN server. This certificate lacks Subject Alternative Names (SANs), and the Common Name (CN) is set to the device's serial number. A certificate warning will always appear when this certificate is applied as the SSL VPN server certificate. Additionally, this certificate is not widely recognized, as it is a self-signed certificate.
2. When a self-signed certificate is used for the SSL VPN server certificate on FortiGate. Since the certificate is self-generated and signed by a private Certificate Authority (CA), it is expected to trigger a certificate warning unless the Root CA or Intermediate CA is installed in the Trusted Root store of each device that connects to the SSL VPN.
3. When there is a mismatch between the Common Name (CN) and the Subject Alternative Name (SAN). If a certificate signed by a well-known vendor is to be used, ensure that there is a Fully Qualified Domain Name (FQDN), as public IP addresses are no longer accepted for security reasons. The Common Name and Subject Alternative Name must match the remote gateway. For self-signed certificates, either an IP address or an FQDN can be used for both the Common Name and Subject Alternative Name, as long as they match the remote gateway. For the proper format of a Subject Alternative Name, refer to this article:  How to Add a Subject Alternative Name (SAN) in a Certificate Signing Request (CSR)