Created on
‎05-30-2023
03:24 AM
Edited on
‎02-19-2025
06:48 AM
By
Stephen_G
Description | This article describes how to resolve an intermediate certificate issue that triggers a 'Fortinet Untrusted CA' error to occur while browsing the web. |
Scope | Any supported version of FortiOS. |
Solution |
The user receives a 'Fortinet Untrusted CA' error when visiting https://procontract.due-north.com:
There are many reasons why the FortiGate would intercept the session and present a page to the user. The easiest way to see why this is the case is to accept the invalid certificate and see the page the FortiGate is trying to show the user.
Check if FortiGate has this 'USERTrustRSA_Certification_Authority' in its database. To do so in the CLI, run the following on a global VDOM:
get vpn certificate ca == [ USERTrust_RSA_Certification_Authority ] name: USERTrust_RSA_Certification_Authority
To check in the GUI, navigate to Security Profiles -> SSL/SSH Inspection -> Create New.
This website should be trusted by FortiGate since the CA is in the database. If that is not the case, install the intermediate certificate 'Sectigo RSA Domain Validation Secure Server CA' to FortiGate.
Find the certificate here: https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates.
Next, install the downloaded certificate on FortiGate.
To install in the GUI, navigate to System -> Import -> CA Certificate:
Once imported, the certificate can be found here:
See the attachment for the Sectigo certificate used in this example. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.