Technical Tip: Renew Fortinet_Wifi built-in certificate
Description
This article describes how to install a new certificate when Fortinet_Wifi certificate is expired.
Scope
FortiGate/FortiWiFi.
Solution
Starting with FortiOS 6.0.1, the 'Fortinet_Wifi' certificate is updated periodically and automatically through FortiGuard.
Expire certificate may impact Wifi authentication on FortiGate and FortiWifi devices using SSIDs with WPA2 Enterprise authentication and with local user groups configured to authenticate such as WiFi.
SSID configuration example:
From the GUI:
From the CLI:
show wireless-controller vap wifi
config wireless-controller vap
edit "wifi"
set vdom "root"
set ssid "CertTest-WPA2"
set security wpa2-only-enterprise
set auth usergroup
set usergroup "LOCALS"
set schedule "always"
next
end
show user group LOCALS
config user group
edit "LOCALS"
set member "userlocal"
next
end
show user local userlocal
config user local
edit "userlocal"
set type password
set passwd-time 2019-05-19 06:51:10
set passwd ENC
AmbnT416FswGb1me/sdLbivJ+oCg1QGmrLJToQVJEPJGbdIp8cx8Oheg7/j4UXVh4LFRS6viSbJfY93zKOUybUi1GQIJN9Sk4DDJnlu406kygucIu7HW2jRPfBquQV6L8MIRLf5ZHUt25YoaQ0cP+zfJOO7BWCAzgxI6gJR+BNVFBYG8aeWPCpHm+P3sG2K1OD5WEg==
next
end
config wireless-controller vap
edit "wifi"
set vdom "root"
set ssid "CertTest-WPA2"
set security wpa2-only-enterprise
set auth usergroup
set usergroup "LOCALS"
set schedule "always"
next
end
show user group LOCALS
config user group
edit "LOCALS"
set member "userlocal"
next
end
show user local userlocal
config user local
edit "userlocal"
set type password
set passwd-time 2019-05-19 06:51:10
set passwd ENC
AmbnT416FswGb1me/sdLbivJ+oCg1QGmrLJToQVJEPJGbdIp8cx8Oheg7/j4UXVh4LFRS6viSbJfY93zKOUybUi1GQIJN9Sk4DDJnlu406kygucIu7HW2jRPfBquQV6L8MIRLf5ZHUt25YoaQ0cP+zfJOO7BWCAzgxI6gJR+BNVFBYG8aeWPCpHm+P3sG2K1OD5WEg==
next
end
Certificate validity can be checked from the GUI if the correct option is enabled:
System -> Certificates -> Fortinet_Wifi.
There are several options to prevent the certificate expiry from occurring.
Option 1: Create a new certificate.
Create a new certificate as shown in the example below.
Then have the certificate signed as an intermediate non-signing CA by the CA or a 3rd party CA.
Further details can be found on the Fortinet documentation site Replacing the Fortinet_Wifi certificate.
Option 2: Upgrade to the latest FortiOS firmware.
Starting with FortiOS 6.0.1, the 'Fortinet_Wifi' certificate is updated periodically and automatically through FortiGuard.
The same applies for v7.0.x, v7.2.x, v7.4.x, 7v.6.x: The built-in 'Fortinet_Wifi certificate', will be updated automatically via the FortiGuard, categorised under Certificate Bundle. Another way to renew an expired firewall built-in certificate is to upgrade the firewall firmware.
Option 3: Manually update the certificate bundle.
For offline units where connection to FortiGuard is not possible, the certificate bundle can be updated manually via TFTP. Fortinet TAC can provide the certificate Bundle package.
To view the current certificate bundle installed in the FortiGate, run the following command:
diagnose autoupdate versions | grep -A6 "Certificate Bundle"
Certificate Bundle
---------
Version: 1.00056 <----- Current version installed.
Contract Expiry Date: n/a
Last Updated using manual update on Tue Feb 25 15:00:00 2025
Last Update Attempt: n/a
Result: Updates Installed
To manually import a more recent bundle, use the following command:
execute vpn certificate ca import bundle <CA bundle filename with .pkg extension> <TFTP server IP>
For more information, go to Technical Tip: Renew Certificate Expired on FortiGate.
Technical Support Contact Information can be found in FortiCare Support: Customer Service.
Fortinet Technical Support home page can be found in Welcome to Fortinet Support.
Fortinet Technical Support home page can be found in Welcome to Fortinet Support.