Administrators should not rely on users installing self-signed certificates. The best practice is to purchase a valid SSL certificate (e.g., from GoDaddy, Comodo, or Let's Encrypt) and upload it to the FortiGate.
If the FortiGate sends only the Server Certificate without the Intermediate CA, FortiClient cannot link the server certificate back to the trusted Root CA. It’s like being asked to verify a photocopy of an ID without seeing the original seal.
3. Disable "Warn on Invalid Server Certificate" (Temporary Fix)
Keep http://neverssl.com bookmarked. It forces any captive portal to show up without HTTPS interference.