This article describes the steps for manually importing a public CA certificate bundle into FortiGate.

This can be needed in cases where for some reason some CA certificates or the whole bundle is removed from FortiGate or if the customer wants to manually downgrade or upgrade the CA certificate bundle.

To verify whether the public CA bundle needs to be manually updated, follow these steps:

Navigate to the SSL/SSH Inspection profile, edit the profile used in the policy, and select 'View Trusted CA List'.

In the example above, the certificate bundle contains only 20 entries, whereas it should include over 145. Verify the certificate bundle version using the command below:

diagnose autoupdate versions | grep "Certificate Bundle" -A 6

FGT-1-HUB # diagnose autoupdate versions | grep "Certificate Bundle" -A 6
Certificate Bundle
---------
Version: 1.00059
Contract Expiry Date: n/a
Last Updated using manual update on Tue Aug 12 14:00:00 2025
Last Update Attempt: n/a
Result: Updates Installed

Prerequisites:

1. TFTP server.
2. CA certificate bundle package. It is needed to contact Fortinet support to get the CA certificate bundle package.

The following command is used to import the CA certificate bundle from FortiGate CLI:

execute vpn certificate ca import bundle <CA bundle filename with .pkg extension> <TFTP server IP>

Note:

Ensure that the local firewall (if any) on the TFTP server allows access from FortiGate for retrieving the certificate package file before initiating the command.