Description

Solution

1. Set the custom certificate for the authentication portal as shown below:

2.  Configure the redirection so the authentication URL matches the certificate CN:

config firewall auth-portal

    set portal-addr fortigatename.domain.com

end

Notes:

• It is recommended to use a wildcard certificate so any subdomain can be 'covered' by the same certificate.  For example: CN= *.domain.com.
• A redirection must be configured on the FortiGate to make sure the authentication portal URL matches the certificate CN (step 2).  If this is not configured, the FortiGate will use its IP address to do the redirection, and the URL will not match the certificate CN, causing a browser security warning to appear.
  
• In case of unexpected behavior after the certificate change, it could be useful to clear the related sessions and also the already authenticated users.
• Clearing users and sessions should be done during a maintenance window. Here are the related commands:

diagnose sys session filter policy <id>
diagnose sys session clear
diagnose firewall auth filter policy <id>
diagnose firewall auth clear

•  A DNS entry (A register) must be added in the DNS server so computers can resolve the name configured in the redirection to the IP address of the FortiGate's interface where the Captive Portal is configured.
• Make sure that the 'auth-cert' and the 'auth-ca-cert' are not set up with different certificate issuers. If that happens, users would still be able to access the captive portal, but not before receiving a certificate warning 'NET::ERR_CERT_AUTHORITY_INVALID' similar to the following screenshot:

The following is how the configuration would look in the CLI:

config user setting

    set auth-type http https ftp telnet
    set auth-cert "3rd_party_certificate" <- Certificate from GoDaddy, Sectigo, or other issuers.
    set auth-ca-cert "Fortinet_Factory" <- Fortinet Factory certificate.

end