Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

SSL Certificate Inspection, CA certificate and

Dear all,


I do not clearly understand the role of the CA (self-signed) certificate  in regards of the SSL Certificate Inspection feature. If I understand well, in SSL Certificat Inspection mode, the FortiGate "sees" the server certificate, and is assessing the relationship between the requested URL and the subject of the certificate.


1) so why the CA Certificate (self-signed) is required ?


2) actually, it appears that when I established an initial TLS session with, lets say,, the CA (self-signed) certificate is given to the client. Why does this happen ?


3) I notice that TLS sessions that follow with, the official (Amazon's) certificate is given to the server.


I clearly missed something, but unfortunately I've been unable to find the answer in my reading (official documentation, this site).


The real problem comes with servers that do certificate pinning, as Facebook or Twitter, or Gmail... because the client refuse to proceed on establishing the TLS session.


Thank you for your help.




Esteemed Contributor III

Not sure what you have configured but this KB should help understand what's happening.


Keep in mind if you inspect the  "cert" from the client it's the  SelfSign certificate and not the original server certificate. All proxys that are used regardless of FTNT does the same things ( i.e BlueCoat, PaloAlto, etc.....)


So it's crucial that the clients trusts this "proxy certificate" if you don't want any failures/warning/errors. Remember the FGT is a MiTM proxy'ing two SSL connections


C -2 -S

S -2 -C


I personally believe the FGT is very loose in it's inspections for certificate validation imho.





PCNSE NSE StrongSwan
New Contributor


Indeed. But the document you kindly gave me is about Deep Inspection. My context is SSL Certificate Inspection.



Top Kudoed Authors