Skip to main content
GohanC
GohanC
Explorer III
February 25, 2022
Solved

SSL Certificate for Fortigate and FortiAuthenticator

  • February 25, 2022
  • 1 reply
  • 3444 views

Hello Team,

 

We’d like to acquire an SSL certificate to use in the Guest Portal of FortiAuthenticator, but I have some doubts:

 

- The certificate needs to be issued to a public domain (public dns resolvable) or could I use a local domain (mycompany.local)?

 

Example, issuing the certificate to the CN fac.mycompany.local would work? I ask it, because the company doesn’t have a public domain (mycompany.com, for example).

 

The second and last doubt is if I can use a certificate with wildcard, for example issued to *.mycompany.local, is that possible in the FortiAuthenticator? And in the FortiGate, is that possible to use certificate with wildcard too?

 

Cheers,

Gui

 

 

Best answer by Debbie_FTNT

Dear Gui,

 

- You can set any server certificate on FortiAuthenticator you want

-> your clients simply need to trust it

-> ideally, you want to ensure that the certificate subject matches FortiAuthenticator hostname (if your users access the captive portal via hostname) or the Subject Alternative Name includes the FortiAuthenticator's IP

-> if you go the hostname route, your clients need to be able to resolve it (via an internal DNS for example)
-> You can use the same wildcard certificate for FortiAuthenticator and FortiGate, provided their hostnames match the wildcard certificate

1 reply

Debbie_FTNT
Staff & Editor
Debbie_FTNTAnswer
Staff & Editor
February 25, 2022

Dear Gui,

 

- You can set any server certificate on FortiAuthenticator you want

-> your clients simply need to trust it

-> ideally, you want to ensure that the certificate subject matches FortiAuthenticator hostname (if your users access the captive portal via hostname) or the Subject Alternative Name includes the FortiAuthenticator's IP

-> if you go the hostname route, your clients need to be able to resolve it (via an internal DNS for example)
-> You can use the same wildcard certificate for FortiAuthenticator and FortiGate, provided their hostnames match the wildcard certificate

    GohanC
    GohanCAuthor
    Explorer III
    February 25, 2022

    Hello Debbie,

    I hope you are doing very well.

     

    Thanks for your reply.

     

    So, even with a Certificate issued by a trusted (public) CA, I can insert a hostname with a .local domain, correct? I was thinking that public certificate only works with public domains.

     

    Once we will use this certificate for guest users, we will acquire a certificate from a trusted CA, like DigiCert, so the guest's browser natively trusts the certificate.

    Debbie_FTNT
    Staff & Editor
    Debbie_FTNT
    Staff & Editor
    February 25, 2022

    That should work, to my knowledge - your clients do need an internal DNS though, to resolve the .local domain of FortiAuthenticator/FortiGate.

      Terms & ConditionsAccessibility statement