The user receives a 'Fortinet Untrusted CA' error when visiting https://procontract.due-north.com:

There are many reasons why the FortiGate would intercept the session and present a page to the user.

The easiest way to see why this is the case is to accept the invalid certificate and see the page the FortiGate is trying to show the user.

In most cases, this will be a UTM block. The easiest way to confirm this would be to check the Forward Traffic logs filtered to the IP of the user having the issue. Under the 'Security' section, it will show the specific UTM which blocked that user.

In some cases, this will be blocked due to an SSL anomaly when the FortiGate tried to verify the certificate of that site.
It is possible to validate this result and check this certificate manually using a third-party tool.
To test the validity of the SSL certificate input the site name into the tool. The results will show the issuer as  'Sectigo RSA Domain Validation Secure Server CA':

Check if FortiGate has this 'USERTrustRSA_Certification_Authority' in its database. To do so in the CLI, run the following on a global VDOM:

get vpn certificate ca

== [ USERTrust_RSA_Certification_Authority ]

name: USERTrust_RSA_Certification_Authority

To check in the GUI, navigate to Security Profiles -> SSL/SSH Inspection -> Create New.

This website should be trusted by FortiGate since the CA is in the database. If that is not the case, install the intermediate certificate 'Sectigo RSA Domain Validation Secure Server CA' to FortiGate. 

Find the certificate here: https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates.

Next, install the downloaded certificate on FortiGate.

To install in the GUI, navigate to System -> Import ->  CA Certificate:

Once imported, the certificate can be found here:

See the attachment for the Sectigo certificate used in this example.