But still SSL Deep Inspection has to work first. If I have the Certificates only on the Webserver I can't inspect the traffic. Thats why I uploaded them to the Fortigate so I can use SSL Deep Inspected for the Traffic torwards the Server and then add other Security Profiles

Of course, but what I am saying is that the SSL inspection profile is not expected to do anything at all if you don't have any other UTM profile selected in the firewall policy (which seems tobe the case based on your screenshot of the policy).

If you want to see realistic results of deep-inspection in the firewall policy, add some UTM profile first, e.g. a monitor-all webfilter. Or a dummy IPS profile.

Thank you but my issue is not that I don't see anything on the Firewall. My issue is that the Browser is giving Certificate errors since the Website is not trusted because the Firewall sends the wrong Certificate.
I did a Trace and I see in Wireshark that if SSL Inspection is disabled I get the right Certificate from the Server. If I activate SSL Inspection the Firewall sends the wrong Certificate -->Local CA Certificate "Fortinet_CA_SSL" instead of the one selected Certificate in the Profile.

Do I have to uploade a part of the Certificate as CA Certificate?

I think what @pminarik is trying to tell is that your issue may be fixed just by enabling any security profile, for example you can just try set IPS: default

Hmm, alright. I reviewed the screenshots again, and noticed one more thing.

The browser is showing that the "mysterious" certificate is signed by "Fortinet Untrusted CA", typically meanting that the FortiGate doesn't like the real server's certificate.

Is there anything special about it? E.g. being self-signed, or signed by a CA that the FortiGate doesn't trust yet, or being issued for an FQDN/IP that doesn't match the name being requested by the client?

I also tried with adding another Security Profile but still same issues.
It's a Certificate from Digicert not self-signed. I Uploaded the .pem (which includes the whole Certificate Chain) to Local Certificate. SAN also has the right DNS entries.

Now my Question. In the Wireshark I saw that as soon as I activate the Policy with the SSL Profile and the Uploaded Cert, Fortigates sends the "Fortinet_CA_SSL" Certificate which is located under Local CA Certificates instead of the one in the SSL Profile. Do I hava to upload my Cert as a Local CA Certificate instead of Local Certificate?

I really appreciate your help

Can you try capturing the Fortigate<->server segment of the traffic in a pcap? Ideally during a TLS 1.2 exchange. I would try to focus on verifying what certificates the FortiGate receives from the server when it's making the connection. Hopefully there will be something visible that will explain why the FortiGate is flagging this as "untrusted".

Hi @3RR0R 

Tried the following in my lab (FOS 6.2.16) and if worked successfully (the right ssl cert is shown).

• srcintf: client_lan
• dstintf: server_lan
• src: client_IP
• dst: server_IP
• service: HTTPS
• Inspection Mode: proxy-based
• ssl inspection: Test (protect ssl server, using a private cert)
• IPS: default

Note that I didn't use VIP/VS for this test.

Thank you guys for your help. I opened a Ticket. I've read a lot about people having Issues with Digicert Certificates and SSL Inspection.