Troubleshooting Tip: FortiGate blocks Apple Product Updates due to an untrusted certificate

When installing FortiGate into the network, Apple devices (such as iPhones and iPads) may cease updating properly. 
For update purposes, the Apple devices use certificates not trusted by FortiGate, by default.

Even though all Apple-related FQDNs are exempted from SSL deep inspection, they are still being dropped by the certificate inspection which, by default, blocks traffic with untrusted certificates.

The Security Events SSL logs show the following:

After traffic is exempted from the Deep SSL inspection, it is blocked by the certificate inspection:

The solution:

1. Download the Apple Root certificate and Software Update certificate from the Apple website: https://www.apple.com/certificateauthority/
   
   

2. Upload those newly downloaded certificates to FortiGate as a CA certificate:
   
   System -> Certificates -> Create/Import -> CA Certificate -> File -> Upload.
   
   

3. After FortiGate has corresponding CA certificates from Apple, it trusts the 'update' traffic and allows it.
   Both Forward Traffic logs and Security Events logs confirm it: