Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
husain
New Contributor

Created on ‎08-19-2019 11:22 PM

Root certificate not installed

Hi All

 

I face problem with one computer in my network, Internet not working in many sites and show me this message: 

A root certificate for "Fortinet" is required but isn’t installed 

 

I tried with google chrome, Internet explorer, and Edge .. But I face same problem in all browsers.

 

Any suggestion?

 

Thank you

26081
0 Kudos
10 REPLIES 10
husain
New Contributor

Created on ‎08-20-2019 05:32 AM

solved 

21210
0 Kudos
MichaelS
New Contributor
In response to husain

Created on ‎11-29-2022 05:33 AM

Do you mind sharing the fix?

19790
0 Kudos
mzainuddinahm
Staff
Staff
In response to MichaelS

Created on ‎11-29-2022 06:20 AM

Hello MichaelS,

 

This mostly happens when Deep Inspection is used in the firewall policy & if the Client does not recognize the certificate coming from the Fortigate. Can you elaborate more about the issue with firmware version, policy details, UTMs used etc.?

 

Best Regards,

Mohammed Ahmed

MZA
19785
0 Kudos
bigkeoni64
Contributor

Created on ‎09-12-2022 07:32 PM

Hello - I am experiencing this same issue at 6.4.6 - can you tell us how you solved it? I have multiple people reporting this issue.

 

Thanks...

bigkeoni64_0-1663036329831.png

 

 

20442
0 Kudos
gfleming
Staff
Staff
In response to bigkeoni64

Created on ‎09-12-2022 08:54 PM

You need to download the root certificate from the FortiGate and install it on the endpoint's certificate store and mark it as trusted. 

 

Ideally you install your own certificate from your own trusted PKI and do it that way.

 

Lots of good info here:

https://docs.fortinet.com/document/fortigate/7.0.6/administration-guide/122078/deep-inspection

 

And here: https://docs.fortinet.com/document/fortigate/7.2.0/best-practices/598577/ssl-tls-deep-inspection

 

And here: https://docs.fortinet.com/document/fortigate/6.2.11/cookbook/680736/microsoft-ca-deep-packet-inspect...

Cheers,
Graham
20436
0 Kudos
bigkeoni64
Contributor

Created on ‎09-12-2022 09:29 PM

Interesting, I wonder how this could have changed since my client had not done anything. All I did was an upgrade from 6.2.7 > 6.4.6 per the upgrade path.

 

Is it possible that the Cert. could have expired?

20430
0 Kudos
bigkeoni64
Contributor

Created on ‎09-13-2022 02:04 AM

I do thank you for passing on this info. Certificates are not my strong suit.

20419
0 Kudos
mzainuddinahm
Staff
Staff
In response to bigkeoni64

Created on ‎09-13-2022 04:49 AM

Hello bigkeoni64,

 

I believe you are experiencing the issue as described here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Expiring-Let-s-Encrypt-Certificates/ta-p/1...

Known issue in 6.4.7: https://docs.fortinet.com/document/fortigate/6.4.7/fortios-release-notes/236526/known-issues - 750551

 

further check the website you are visiting, shows expired:

DST Root CA X3 - https://www.ssllabs.com/ssltest/analyze.html?d=corehotelsandresorts.com

 

Kindly visit the KB & apply the provided workarounds. The issue was fixed from 6.4.8, 7.0.4 & 7.2.0

 

Regards,

Mohammed Ahmed

MZA
20410
bigkeoni64
Contributor

Created on ‎09-13-2022 04:07 PM

We will be going to 6.4.8 > 6.4.9 tonight

It appears by going to flow-based instead of proxy-based on the policy did the trick for a work around.

 

Is there a reason why you wouldn't want to use flow based ALL the time?

20389
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.