FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article explains how to resolve an issue where FortiGate presents the wrong digital certificate when using the new Sectigo cross-signed certificate chain.
Scope
FortiGate v7.2 (all supported builds).
Solution
Problem:
Sectigo recently began issuing certificates with a new trust chain. When these certificates are imported into the FortiGate certificate store, the device may not serve the correct intermediate certificate in the certificate chain under certain configurations.
This issue is observed specifically when:
The FortiGate's SSL profile is set up to do Deep Inspection in 'Protecting SSL Server' mode
Policies are configured in proxy mode, and:
Flow-based inspection with IPS enabled is applied.
As a result, FortiGate may present an unexpected or incorrect intermediate certificate from the chain.
Workaround:
To avoid this issue, apply the following workaround:
Use a flow-based policy only, without IPS being enabled.
