This is very likely an SSL/TLS error. To be sure, that is an encrypted tunnel that has to be established prior sending any data through it (like authentication etc. and whatever follows).
TLS can be established with different criterion, but one node receives a certificate from the other node and has to verify it.
More information here:
The FortiGate is sending a server certificate to the client and the client has to have the signing certificate to verify the server certificate. If the certificate chain is longer, all the public keys are to be presented.
The private key NEVER has to be imported anywhere but the identifying node (webserver).
If the client is sending a certificate to the FortiGate for the configuration was set up that way, the same goes, the FortiGate has to verify what the client sends with the certificate that issued the client certificate.
client/server cert > Intermediate CA > Root CA
- client/server sends the cert, the other node needs to have the intermediate and root CA cert (public key only required).
- client/server sends the cert and intermediate, the other node needs to have the root CA cert (public key only required).
- client/server sends the cert, intermediate and root, the other node needs to have the root CA cert (public key only required).
If the client sends a cert AND the server sends its cert, likewise server AND client both need to verify what the other node sends.