Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jprokic
Staff
Staff

Created on ‎08-21-2024 03:49 AM

Article Id 335087

Troubleshooting Tip: FortiGate blocks Apple Product Updates due to an untrusted certificate

Description This article describes how to resolve an issue where FortiGate blocks Apple Product Updates due to an untrusted certificate.
Scope FortiGate, Apple devices.
Solution

When installing FortiGate into the network, Apple devices (such as iPhones and iPads) may cease updating properly. 
For update purposes, the Apple devices use certificates not trusted by FortiGate, by default.

Even though all Apple-related FQDNs are exempted from SSL deep inspection, they are still being dropped by the certificate inspection which, by default, blocks traffic with untrusted certificates.

 

The Security Events SSL logs show the following:

After traffic is exempted from the Deep SSL inspection, it is blocked by the certificate inspection:

 

Apple_Cert_Update_I.JPG

The solution:

 

 

  1. Download the Apple Root certificate and Software Update certificate from the Apple website: https://www.apple.com/certificateauthority/

 

Apple_Cert_Update_IV.JPG

 

  1. Upload those newly downloaded certificates to FortiGate as a CA certificate:

    System -> Certificates -> Create/Import -> CA Certificate -> File -> Upload.

 

CA_Cert_Upload.jpg

 

 

  1. After FortiGate has corresponding CA certificates from Apple, it trusts the 'update' traffic and allows it.
    Both Forward Traffic logs and Security Events logs confirm it:

 

Apple_Cert_Update_II.JPG
Apple_Cert_Update_III.JPG

2369
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.