Skip to main content
jtorres1
Staff
jtorres1
Staff
September 6, 2017

Technical Tip: How to change the Captive Portal certificate

  • September 6, 2017
  • 0 replies
  • 29555 views

Description

 

This article provides a general guide on how to change the Captive Portal certificate when a custom certificate must be used to avoid security warnings in the browser.

This procedure assumes the custom certificate has already been loaded onto the FortiGate device and that an A register in the DNS server has been created to resolve the URL used in the authentication redirect.
 
Scope
 
FortiGate.


Solution

 

  1. Set the custom certificate for the authentication portal as shown below:

 

jtorres_FD40671_tn_FD40671-1.jpg
 
For FortiOS v6.4.x and above, it is under User & Authentication -> Authentication Settings.
 

auth setting.PNG

 

  1.  Configure the redirection so the authentication URL matches the certificate CN:

 

config firewall auth-portal

    set portal-addr fortigatename.domain.com

end


Notes:

  • It is recommended to use a wildcard certificate so any subdomain can be 'covered' by the same certificate.  For example: CN= *.domain.com.
  • Either configure redirection to make sure the authentication portal URL matches the certificate CN (step 2), or else FortiGate will use IP address as the captive portal URL: the certificate must include this IP as SAN. Otherwise, Wi-Fi clients will experience a certificate warning from the browser.
  • In case of unexpected behavior after the certificate change, it could be useful to clear the related sessions and also the already authenticated users.
  • Clearing users and sessions should be done during a maintenance window. Here are the related commands:


diagnose sys session filter policy <id>
diagnose sys session clear
diagnose firewall auth filter policy <id>
diagnose firewall auth clear

 

  •  A DNS entry (A register) must be added in the DNS server so computers can resolve the name configured in the redirection to the IP address of the FortiGate's interface where the Captive Portal is configured.
  • Make sure that the 'auth-cert' and the 'auth-ca-cert' are not set up with different certificate issuers. If that happens, users would still be able to access the captive portal, but not before receiving a certificate warning 'NET::ERR_CERT_AUTHORITY_INVALID' similar to the following screenshot:


auth-ca-cert.png

 

The following is how the configuration would look in the CLI:


config user setting

    set auth-type http https ftp telnet
    set auth-cert "3rd_party_certificate" <- Certificate from GoDaddy, Sectigo, or other issuers.
    set auth-ca-cert "Fortinet_Factory" <- Fortinet Factory certificate.

end

 

The configuration can additionally include an authentication CA certificate auth-ca-cert where the certificate is defined with the appropriate key usage (specifically Certificate Signing) and the constraint CA=True.

 

This CA certificate is then used to dynamically sign certificates based on the destination the client is attempting to access. In real time, when a client connects to a particular destination, the system generates and presents a certificate for that destination, signed by this CA, enabling seamless and secure inspection or authentication.

Terms & ConditionsCookie settingsAccessibility statement