Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jtorres1
Staff
Staff

Created on ‎09-05-2017 05:09 PM Edited on ‎11-01-2024 07:13 AM By Moderator

Article Id 196406

Technical Tip: How to change the Captive Portal certificate

Description

 

This article provides a general guide on how to change the Captive Portal certificate when a custom certificate must be used to avoid security warnings on the browser.

This procedure assumes the custom certificate has already been loaded onto the FortiGate device and that an A register in the DNS server has been created to resolve the URL used in the authentication redirect.
 
Scope
 
FortiGate.


Solution

 

  1. Set the custom certificate for the authentication portal as shown below:

 

jtorres_FD40671_tn_FD40671-1.jpg
 
For FortiOS 6.4.x and above, it is under User & Authentication > Authentication Settings.
 

auth setting.PNG

 

  1.  Configure the redirection so the authentication URL matches the certificate CN:

 

config firewall auth-portal

    set portal-addr fortigatename.domain.com

end


Notes:

  • It is recommended to use a wildcard certificate so any subdomain can be 'covered' by the same certificate.  For example: CN= *.domain.com.
  • A redirection must be configured on the FortiGate to make sure the authentication portal URL matches the certificate CN (step 2).  If this is not configured, the FortiGate will use its IP address to do the redirection and the URL will not match the certificate CN causing a browser security warning to appear.
  •  A DNS entry (A register) must be added in the DNS server so computers can resolve the name configured in the redirection to the IP address of the FortiGate's interface where the Captive Portal is configured.
  • Make sure that the 'auth-cert' and the 'auth-ca-cert' are not set up with different certificate issuers. If that happens, users would still be able to access the captive portal, but not before receiving a certificate warning 'NET::ERR_CERT_AUTHORITY_INVALID' similar to the following screenshot:


auth-ca-cert.png

 

The following is how the configuration would look in the CLI:


config user setting

set auth-type http https ftp telnet
set auth-cert "3rd_party_certificate" <- Certificate from GoDaddy, Sectigo, or other issuers.
set auth-ca-cert "Fortinet_Factory" <- Fortinet Factory certificate.

end

22569
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.