FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
yashaswinits_FTNT
Article Id 197362

Description

This article looks at the separation of authentication certificates on the FortiGate for various applications such as SSL VPN and captive portal authentication.


Solution

Only a single certificate can be mapped to all the applications like SSL-VPN, captive portal on the FortiGate.  This can be done via GUI or CLI as follows:

Navigate to User & Devices > Authentication settings > Certificate and select from the drop down which lists all default certificates, all installed certificates, and wild card certificates.
 
yashaswinits_FD40692_tn_FD40692-1.jpg
 
The certificate can be mapped  via CLI as follows:
FGT-Master # config  user setting
FGT-Master (setting) #
FGT-Master (setting) # set auth-cert
Available certificates:
Fortinet_CA_SSL local
Fortinet_CA_Untrusted  local
Fortinet_Factory  local
Fortinet_SSL  local
Fortinet_SSL_DSA1024  local      ----> Lists the available certificates on the FortiGate

Fortinet_SSL_DSA2048  local
Fortinet_SSL_ECDSA256  local
Fortinet_SSL_ECDSA384  local
Fortinet_SSL_RSA1024  local
Fortinet_SSL_RSA2048  local
FGT-Master (setting) # set auth-cert Fortinet_Factory

The above certificate Fortinet_Factory will now be used by all the applications on the FortiGate.

The drawback is that internal captive portal users will see a  SSL warning error.

By default users connecting to internal captive portal will be redirected to captive portal page which has SSID interface IP address as below:
where  xx.yy.zz.ww is the SSID interface IP address.

The SSL error will be seen because the Common Name does not match the IP address of the captive portal URL and thus indicates that the URL is insecure.  However, the certificate cannot be changed because it is also used for SSLVPN website (common certifiacte is used for SSL VPN  and captive portal).

Workaround

1)  There should be a way to separate the authentication certificates of the FortiGate in order to decide which certificate will be used for SSLVPN and WiFi Captive Portal.
 
2) Use HTTP instead of HTTPS to avoid the SSL warning error for captive portal  users.

config user setting
    set auth-secure-http enable  (default = disable)
end

config system global
    set auth-https-port 1442 (default = 1003)
end