In case you never solved this. Web filtering needs to be enabled on the
policy for it to work. I was just dealing with this same issue where the
sites were signed by the original CA but when I enabled Web Filtering on
the policy on the fortigate now ...