| Description | This article describes how to resolve an intermediate certificate issue that triggers a 'Fortinet Untrusted CA' error to occur while browsing the web. |
| Scope | Any supported version of FortiOS. |
| Solution |
Consider the following scenario:
1) The environment is employing certificate inspection or deep SSL certificate inspection for web traffic.
The user receives a 'Fortinet Untrusted CA' error when visiting https://procontract.due-north.com:
This indicates that FortiGate does not trust this domain; the CA certificate is not in FortiGate's trusted list database.
After checking with SSL labs to test the validity of the SSL certificate, the results show the issuer of 'Sectigo RSA Domain Validation Secure Server CA':
Check if FortiGate has this 'USERTrustRSA_Certification_Authority' in its database. To do so in the CLI, run the following on a global VDOM:
get vpn certificate ca == [ USERTrust_RSA_Certification_Authority ] name: USERTrust_RSA_Certification_Authority
To check in the GUI, navigate to Security Profiles -> SSL/SSH Inspection -> Create New.
This website should be trusted by FortiGate since the CA is in the database. If that is not the case, install the intermediate certificate 'Sectigo RSA Domain Validation Secure Server CA' to FortiGate.
Find the certificate here: https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates.
Next, install the downloaded certificate on FortiGate.
To install in the GUI, navigate to System -> Import -> CA Certificate:
Once imported, the certificate can be found here:
See the attachment for the Sectigo certificate used in this example. |
