Since March 8, 2023, DigiCert has started updating the default public issuance of TLS/SSL certificates to the new public second-generation (G2) root and intermediate CA (ICA) certificate hierarchies.

G2 DigiCert certificates:

The G2 DigiCert CA certificates are present in FortiOS with certificate bundle 1.44 and later, released to FortiGuard in June 2023.

diagnose autoupdate versions | grep -A 6 'Certificate Bundle'
Certificate Bundle
---------
Version: 1.00059
Contract Expiry Date: n/a
Last Updated using scheduled update on Fri Oct 10 15:46:26 2025
Last Update Attempt: Fri Oct 17 10:24:00 2025
Result: No Updates

get vpn certificate ca details DigiCert_Global_Root_G2
== [ DigiCert_Global_Root_G2 ]
Name: DigiCert_Global_Root_G2
Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
Valid from: 2013-08-01 12:00:00 GMT
Valid to: 2038-01-15 12:00:00 GMT
Fingerprint: CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F
Serial Num: 03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5

If FortiGate is running older firmware and was either factory reset or has not had internet access for some time, it may still be using an older certificate bundle and not trust DigiCert certificates signed by G2 CA certificates.

Possible Symptoms:

• Web traffic not passing through with Proxy-based polices.
• The output of the CLI command 'diagnose debug rating' will show connections are not established.
• The following error may be seen in the wad debugs:

4031 continue the cert failure to get replace msg

Resolution:

To force a certificate bundle update, ensure the device has internet access and run the following command:

execute update-now

# wait few minutes

To force FortiOS processes to use the new certificate bundle, run

fnsysctl killall fnbamd

diagnose test application wad 99

G1 DigiCert certificates:

The DigiCert G1 root CA and intermediate CA are scheduled to be distrusted by Mozilla on April 15, 2026, and not trusted on FortiOS shortly after.

If the remote server is still using a certificate signed by the DigiCert G1 CA after this date, and the website is intended to be publicly accessible, this should be considered an issue on the remote server side. The service provider can be resolve the issue by applying a server certificate signed by a later generation DigiCert CA.

If needed, the FortiGate can be configured to again trust certificates signed by the DigiCert G1 CA by uploading the root and intermediate CA's manually to the FortiGate, see FortiOS v7.6.4 Administration Guide | CA Certificate. The DigiCert CA certificates can be downloaded from the third-party site DigiCert Knowledge Base | DigiCert Trusted Root Authority Certificates. However, after the remote server has migrated to a certificate signed by a later generation CA, it is recommended to remove the manually uploaded remote CA certificate.

For more details regarding the certificate, see this DigiCert knowledge base article.

Additionally, consider putting the profile in the Flow mode to further verify it is working.

Related article:

Technical Tip: Renew Certificate Expired on FortiGate