Description
This article provides a general guide on how to change the Captive Portal certificate when a custom certificate must be used to avoid security warnings on the browser.
This procedure assumes the custom certificate has already been loaded onto the FortiGate device and that an A register in the DNS server has been created to resolve the URL used in the authentication redirect.
This procedure assumes the custom certificate has already been loaded onto the FortiGate device and that an A register in the DNS server has been created to resolve the URL used in the authentication redirect.
Scope
FortiGate.
Solution
- Set the custom certificate for the authentication portal as shown below:
For FortiOS 6.4.x and above, it is under User & Authentication > Authentication Settings.
- Configure the redirection so the authentication URL matches the certificate CN:
config firewall auth-portal
set portal-addr fortigatename.domain.com
end
Notes:
- It is recommended to use a wildcard certificate so any subdomain can be 'covered' by the same certificate. For example: CN= *.domain.com.
- A redirection must be configured on the FortiGate to make sure the authentication portal URL matches the certificate CN (step 2). If this is not configured, the FortiGate will use its IP address to do the redirection and the URL will not match the certificate CN causing a browser security warning to appear.
- A DNS entry (A register) must be added in the DNS server so computers can resolve the name configured in the redirection to the IP address of the FortiGate's interface where the Captive Portal is configured.
