2. In this case the
certificate error message was caused due to an invalid/no chain of certificate
verifying the authenticity of the server certificate provided in the SSL/TLS
4. Click on Export Packet Bytes and save the file as certificate.cer and open the certificate.cer which looks like below.
5. Now go to the FortiGate GUI and upload the public key/certificate of Root CA and Intermediate CA in the CA Certificate section in pem/cer format.
6. Make sure that you have the Root CA and Intermediate CA under the External CA certificates
7. Restart the authd process
8. On the browser, ensure that the Root CA is present/installed/trusted. Intermediate CA doesn't need to be installed on the browser because the intermediate CA will be sent in the SSL/TLS handshake by the FortiGate.
9. Re-open the browser and access any web page. This redirects to the captive portal login page on the FortiGate.
10. The certificate chain is present this time and no error is seen on the browser.
10. Verify using Wireshark to capture the SSL/TLS Handshake.
11. Points to Note
a. Public key of the Root and Intermediate CA needs to be uploaded to FortiGate, as Remote CA certs.
b. The following two CLI commands are in place.
See also : Preventing certificate warnings CookBook