Resolving the "Root Certificate for Fortinet is Required but Not Installed" Error: A Comprehensive Guide for Enterprise Network Administrators
.
The "Root certificate for Fortinet is required but isn't installed" error message has become a common challenge for network administrators managing Fortinet security appliances, particularly FortiGate firewalls. This error typically manifests when users attempt to access HTTPS websites through a network protected by Fortinet's Deep Inspection capabilities, causing browsers to display security warnings and potentially blocking access to legitimate business resources.
According to technical discussions in the Fortinet Community Forums and Spiceworks, this issue spans multiple FortiOS versions, from 5.4 to the recent 6.4 releases, affecting organizations worldwide. The error fundamentally indicates a trust breakdown between the FortiGate's SSL inspection mechanism and the client devices attempting to access protected resources.
Root Causes of the Fortinet Certificate Error
Deep Inspection Architecture Challenges
The primary cause stems from FortiGate's Deep Inspection feature, which functions as a man-in-the-middle security mechanism. When enabled, the FortiGate decrypts SSL/TLS traffic, inspects it for threats, re-encrypts it, and presents its own certificate to the client. This process requires client devices to trust the FortiGate's certificate authority.
As noted in the Fortinet Community forums: "This mostly happens when Deep Inspection is used in the firewall policy & if the Client does not recognize the certificate coming from the FortiGate."
Certificate Expiration and Known Software Issues
A significant trigger for this error emerged with FortiOS version 6.4.6, where multiple users reported sudden certificate warnings after upgrades. The Fortinet documentation identifies this as a known issue (tracking ID 750551) related to expiring Let's Encrypt certificates, with official fixes implemented in versions 6.4.8, 7.0.4, and 7.2.0.
Service-Specific Inspection Conflicts
The error can appear inconsistently across different Google services, as highlighted in Spiceworks discussions: "google.com and gmail.com works with no issues... but if users click a link... that starts with drive.google.com then it has the certificate error." This behavior stems from Google's authentication services being explicitly designed to reject content inspection.
Comprehensive Solutions for Certificate Trust Issues
Method 1: Proper Certificate Installation on Client Devices
The most reliable solution involves installing the FortiGate's SSL inspection certificate into the client's trusted root store:
- Access the FortiGate Certificate: Navigate to System > Certificates on the FortiGate interface and locate the CA certificate (typically named "Fortinet_CA_SSL" or similar)
- Export the Certificate: Download the certificate file to the client device
- Install System-Wide: Import the certificate to the Trusted Root Certification Authorities store, ensuring it applies to all users and browsers
- Verify Installation: Confirm the certificate appears in the trusted store and shows as valid
Method 2: Bypass Inspection for Specific Services
For services incompatible with SSL inspection, create explicit exceptions:
Google's authentication infrastructure requires special handling. As documented in the Spiceworks thread, Google maintains an official allowlist of domains that must bypass SSL inspection, particularly those handling authentication and sensitive user data.
Create firewall policies or web filtering exceptions for:
- accounts.google.com
- drive.google.com (for specific authentication flows)
- *.googleapis.com
- gstatic.com
Method 3: Upgrade FortiOS to Resolve Known Issues
Organizations running affected versions should plan upgrades according to Fortinet's guidance:
| Affected Version | Recommended Resolution |
|---|---|
| 6.4.6, 6.4.7 | Upgrade to 6.4.8 or later |
| 7.0.0-7.0.3 | Upgrade to 7.0.4 or later |
| 7.2.0 (specific cases) | Upgrade to 7.2.1+ |
Method 4: Toggle Inspection Mode as Temporary Workaround
For immediate relief before implementing permanent solutions, administrators can modify the inspection method:
- Navigate to the affected firewall policy
- Locate SSL/SSH Inspection settings
- Switch from Proxy-based to Flow-based inspection
- Test connectivity to verify resolution
As noted in the Fortinet Community, this workaround proved effective: "It appears by going to flow-based instead of proxy-based on the policy did the trick for a work around."
Enterprise Best Practices for Certificate Management
Implementing a Corporate PKI Strategy
Rather than relying on self-signed certificates, organizations should consider implementing their own Public Key Infrastructure (PKI) with certificates from trusted commercial CAs. This approach ensures broader compatibility and easier management across enterprise endpoints.
Centralized Certificate Deployment
For organizations with multiple clients, leverage Group Policy Objects (GPO) in Windows environments or mobile device management (MDM) solutions to push certificates automatically, eliminating manual installation requirements and reducing support tickets.
Regular Certificate Audits
Establish a routine audit process to:
- Monitor certificate expiration dates
- Verify proper installation on all managed devices
- Document exceptions for services requiring inspection bypass
- Review inspection policies for business-critical applications
Frequently Asked Questions
Why does the error only appear on some websites and not others?
This typically occurs because certain websites, particularly Google authentication services, implement certificate pinning or employ technologies that conflict with SSL inspection. Additionally, some sites may use certificate features that don't translate properly through the FortiGate's inspection process.
Is it safe to install the FortiGate certificate on all client devices?
Yes, when properly implemented. The FortiGate certificate essentially tells clients to trust the FortiGate to inspect their traffic. This is safe within your managed network environment, though you should ensure the FortiGate itself is properly secured and managed by trusted administrators.
Will upgrading FortiOS automatically resolve all certificate issues?
While upgrading addresses known bugs (like the Let's Encrypt expiration issue), it won't automatically install certificates on client devices. You'll still need to ensure proper certificate distribution to endpoints, though newer versions may offer improved management features.
How can I identify which certificate is causing the error?
In most browsers, clicking the "Not Secure" warning or lock icon in the address bar will display certificate details. Look for certificates issued by "Fortinet_CA_SSL" or similar Fortinet-related names. The error message itself typically indicates it's seeking a Fortinet root certificate.
Can I disable SSL inspection instead of installing certificates?
While technically possible, this significantly reduces security posture by allowing encrypted threats to bypass inspection. A better approach is selective bypass for specific services combined with proper certificate deployment for general traffic.
Conclusion
The "Root certificate for Fortinet is required" error represents a manageable challenge in enterprise network security management. By understanding the interplay between FortiGate's Deep Inspection features, client trust stores, and service-specific requirements, administrators can implement lasting solutions that maintain security while ensuring seamless user access.
The key to resolution lies in a layered approach: proper certificate deployment establishes baseline trust, strategic upgrades address platform-specific bugs, and intelligent inspection exceptions accommodate services incompatible with content inspection. Organizations implementing these practices will find the error becomes a rare occurrence rather than a recurring support burden.
As Fortinet continues evolving its platforms, staying current with recommended versions and maintaining awareness of service provider requirements (like Google's inspection policies) will remain essential for smooth network operations and robust security posture.