FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff
Article Id 258395
Description This article describes how to resolve an intermediate certificate issue that triggers a 'Fortinet Untrusted CA' error to occur while browsing the web.
Scope Any supported version of FortiOS.
Solution

The user receives a 'Fortinet Untrusted CA' error when visiting https://procontract.due-north.com:

 

procontract-not-working.png

 

There are many reasons why the FortiGate would intercept the session and present a page to the user.

The easiest way to see why this is the case is to accept the invalid certificate and see the page the FortiGate is trying to show the user.

In most cases, this will be a UTM block. The easiest way to confirm this would be to check the Forward Traffic logs filtered to the IP of the user having the issue. Under the 'Security' section, it will show the specific UTM which blocked that user.

In some cases, this will be blocked due to an SSL anomaly when the FortiGate tried to verify the certificate of that site.
It is possible to validate this result and check this certificate manually using a third-party tool.
To test the validity of the SSL certificate input the site name into the tool. The results will show the issuer as  'Sectigo RSA Domain Validation Secure Server CA':

 

certificate info ssllab.PNG

 

Check if FortiGate has this 'USERTrustRSA_Certification_Authority' in its database. To do so in the CLI, run the following on a global VDOM:

 

get vpn certificate ca

== [ USERTrust_RSA_Certification_Authority ]

name: USERTrust_RSA_Certification_Authority

 

To check in the GUI, navigate to Security Profiles -> SSL/SSH Inspection -> Create New.

 

certificate CA.PNG

 

usertrust.PNG

 

This website should be trusted by FortiGate since the CA is in the database. If that is not the case, install the intermediate certificate 'Sectigo RSA Domain Validation Secure Server CA' to FortiGate. 

 

 sectigo intermediate.PNG

 

Find the certificate here: https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates.

 

sectigo download.PNG

 

Next, install the downloaded certificate on FortiGate.

 

To install in the GUI, navigate to System -> Import ->  CA Certificate:

 

Import CA.PNG

 

Once imported, the certificate can be found here:

 

Imported CA.PNG

 

See the attachment for the Sectigo certificate used in this example.