In a ZTNA server configuration whether it is TCP-Forwarding or HTTPS deployment, the option 'Default Certificate' is a required field to complete the setup.

This option represents the certificate the FortiGate is presenting to the connecting FortiClient. It is the certificate that allows FortiGate to inspect the traffic as the proxy/ZTNA server:

That means that the user traffic will be met with the certificate selected for this option which can lead to a problem.

Problem:

If this option is set with a certificate that does not belong to the real/ZTNA destination server, the result is the user will be presented with a certificate warning advising a hostname of the destination address is mismatching the one stored on the certificate presented to the client.

Solution:

• The certificate mismatch can be resolved by generating a new certificate for the ZTNA destination server with a defined separate private key file using a method such as PKCS.
• The firewall admin can then import that certificate with the private key to the FortiGate certificate store.
• That certificate can be then used in the 'ZTNA Server -> Default Certificate' field.
• The following link provides a reference on how to import PKCS#12 certificate in FortiOS: Technical Tip: How to import PKCS#12 certificate.