Skip to main content
ebilcari
Staff
ebilcari
Staff
February 13, 2026

Technical Tip: Correctly upload a certificate and its trust chain in the Captive Portal

  • February 13, 2026
  • 0 replies
  • 399 views
Description

 

This article describes how to properly upload certificates in FortiNAC and apply them to the Captive Portal, and it also shows several verification steps. If the certificate is not fully trusted by the end host, portal redirection or portal page loading may fail with an untrusted certificate error that disrupts normal portal activity. The same rules also apply to the Persistent Agent service.

 

Scope

 

FortiNAC.

 

Solution

 

Later versions of FortiNAC support the Captive Portal only in SSL mode, which is why a valid certificate trusted by the end host is required. Certificates usually include more than one CA in their trust chain, and an intermediate CA is often used to sign the certificate. When uploading the files, make sure to select the correct ones, file names may differ and are not relevant

 

Portal certificate chain.PNG

 

After the certificates are uploaded, verify the trusted chain is properly shown:

 

uploaded chain.png

 

Client trust‑chain certificate verification can also be emulated from the FortiNAC CLI by using the built‑in OpenSSL client tool, as shown below:

 

fnac74p # execute enter

fnac74p:~$ openssl s_client -showcerts -connect fnac74.eb.eu:443
CONNECTED(00000003)
depth=2 C = DE, ST = Hesse, L = Offenbach, O = Fortinet, OU = FNAC, CN = fw.eb.eu, emailAddress = ebilcari@fortinet.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = DE, ST = Hesse, L = Frankfurt, O = Fortinet, OU = TAC, CN = 3rd.eb.eu, emailAddress = ebilcari@fortinet.com
verify return:1
depth=0 C = DE, ST = Hesse, L = Frankfurt, O = Fortinet, OU = TAC, CN = fnac74.eb.eu
verify return:1

 

Verification of the trust chain on the end host.

 

In this example, an Android smartphone is used. The end host must already have the CA included in its trusted store, as it will be used to complete the trust chain.

 

trust chain mobile.jpg

 

The same verifications from the browser and the CA trust store on a Windows host:

 

trust chain windows host.png

 

Note:

Usually, the portal will use a publicly signed certificate issued by a CA authority that is already pre‑installed in the end host's Trusted CA store. In this case, only the intermediate CAs need to be properly uploaded into FortiNAC. Typically, the intermediate CAs are provided by the certificate‑signing authority.

 

Related articles:

    Terms & ConditionsAccessibility statement