FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article provides guidance for resolving an issue where FortiGate presents the wrong digital certificate when using the new Sectigo cross-signed certificate chain.
Scope
FortiGate, FortiOS 7.2 (all supported builds).
Solution
Problem:
Sectigo recently began issuing certificates with a new trust chain. When these certificates are imported into the FortiGate certificate store, the device may not serve the correct certificate chain under certain configurations.
This issue is observed specifically when:
Policies are configured in proxy mode, and:
Flow-based inspection with IPS enabled is applied.
As a result, FortiGate may present an unexpected or incorrect intermediate certificate from the chain.
Workaround:
To avoid this issue, apply the following workaround:
Use a flow-based policy only, without IPS being enabled.
