When you use deep inspection, the FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content to find threats and block them. It then re-encrypts the content and sends it to the real recipient.
For deep inspection you would need to use a CERT that has Basic Constraints in the certificate saying CA=true.
You can use the default cert provided by FGT which has the CA=true Constraints or get the cert from any Public CA if they provide so.
By using the cert provided by FGT you will get the cert warning though.
Here are few ways to prevent the cert warning while using FGT's cert
FortiAnswers is the space dedicated to FortiSASE and FortiOS questions and suggestions.
1 Person is following this question.