SSL Deep Inspection is certainly pointy. It can cause a lot of issues so be careful and understand exactly what your requirements are and understand the legal aspects if you are using it on general web browsing including banking and other sites.
Best practice would be to only inspect traffic to untrusted/unknown sites.
And as you've already noted you have to solve for the trusted certificate issue. Best way to do this is use your internal PKI (endpoints will trust your root already) and create an intermediate signing CA certificate that gets imported into the FortiGate.
Or, it could be that you realize you don't actually need deep inspection and certificate inspection will work well enough for you.
Cert inspection will just look at the domain name of the destination site. It cannot see the URL or any data that is passed. Most of the time this is good enough for web filtering (but not URL filtering) and app control (but not all app control signatures). It's also good enough for IPS but again won't catch all IPS.
I think you should take a step back, really understand what it is you're trying to accomplish, and then deploy what you need.
Also deep inspection is only going to work for your corporate-managed endpoints. Anything else will always get a certificate error.