FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Description
The certificate error is always present on HTTPS websites blocked by FortiGate when doing SSL inspection without having the FortiGate CA certificate imported. 

The reason for that is, when a secured website is accessed (f.e. https://www.youtube.com) the Youtube certificate guarantees that the content of the website is safe (as it is signed by Certificate Authority that is trusted by the browser). However, when the firewall intercepts the SSL traffic to modify the content shown at https://www.youtube.com it will not be able to sign the modified content with the original CA as the firewall does not have a private key of the original CA. 

Therefore, the changed content (f.e. FortiGate replacement page) needs to be signed by own CA certificate and if the browser does not trust it, instead of replacement page, user will see the certificate error.
Solution
To remove the certificate error, there are two possibilities:
1) User will import FortiGate CA certificate into browsers 'Trusted Root Certification Authorities' store.
2) If there is a  CA certificate (including the private key) that is trusted in the network/domain (by browsers), it is possible to import it to the FortiGate and use it for the replacement messages.

Follow related articles to know how to import the CA certificate.

-> after the import to utilize this certificate for replacement page signing:

# config user setting
set auth-ca-cert <your_CA>
end

Related Articles

Technical Tip: How to import the CA certificate for full SSL inspection

Contributors