Description
This article looks at the separation of authentication certificates on the FortiGate for various applications such as SSL VPN and captive portal authentication.
Solution
Only a single certificate can be mapped to all the applications like SSL-VPN, captive portal on the FortiGate. This can be done via GUI or CLI as follows:
Navigate to User & Devices > Authentication settings > Certificate and select from the drop down which lists all default certificates, all installed certificates, and wild card certificates.
Navigate to User & Devices > Authentication settings > Certificate and select from the drop down which lists all default certificates, all installed certificates, and wild card certificates.
The certificate can be mapped via CLI as follows:
The above certificate Fortinet_Factory will now be used by all the applications on the FortiGate.
The drawback is that internal captive portal users will see a SSL warning error.
By default users connecting to internal captive portal will be redirected to captive portal page which has SSID interface IP address as below:
FGT-Master # config user settingAvailable certificates:
FGT-Master (setting) #
FGT-Master (setting) # set auth-cert
Fortinet_CA_SSL local
Fortinet_CA_Untrusted local
Fortinet_Factory local
Fortinet_SSL local
Fortinet_SSL_DSA1024 local ----> Lists the available certificates on the FortiGate
Fortinet_SSL_DSA2048 local
Fortinet_SSL_ECDSA256 local
Fortinet_SSL_ECDSA384 local
Fortinet_SSL_RSA1024 local
Fortinet_SSL_RSA2048 local
FGT-Master (setting) # set auth-cert Fortinet_Factory
The above certificate Fortinet_Factory will now be used by all the applications on the FortiGate.
The drawback is that internal captive portal users will see a SSL warning error.
By default users connecting to internal captive portal will be redirected to captive portal page which has SSID interface IP address as below:
where xx.yy.zz.ww is the SSID interface IP address.
The SSL error will be seen because the Common Name does not match the IP address of the captive portal URL and thus indicates that the URL is insecure. However, the certificate cannot be changed because it is also used for SSLVPN website (common certifiacte is used for SSL VPN and captive portal).
Workaround
1) There should be a way to separate the authentication certificates of the FortiGate in order to decide which certificate will be used for SSLVPN and WiFi Captive Portal.
The SSL error will be seen because the Common Name does not match the IP address of the captive portal URL and thus indicates that the URL is insecure. However, the certificate cannot be changed because it is also used for SSLVPN website (common certifiacte is used for SSL VPN and captive portal).
Workaround
1) There should be a way to separate the authentication certificates of the FortiGate in order to decide which certificate will be used for SSLVPN and WiFi Captive Portal.
2) Use HTTP instead of HTTPS to avoid the SSL warning error for captive portal users.
config user setting
set auth-secure-http enable (default = disable)
end
config system global
set auth-https-port 1442 (default = 1003)
end
