Description
This article describes how to install a new certificate when Fortinet_Wifi certificate is expired.
FortiOS built-in certificate Fortinet_Wifi will expire on May 24, 2019. This can lead to an issue related to wireless authentication when they are expired if the device is running FortiOS 5.6 or lower versions of software.
This may impact all FortiGate and FortiWifi devices using SSID’s with WPA2 Enterprise authentication and with local user groups configured to authenticate such WiFi.
SSID configuration example:
From the GUI
From the CLI:
Fortinet_Wifi# get system status
Version: FortiWiFi-61E v5.6.9,build1673,190513 (GA)
Fortinet_Wifi# show wireless-controller vap wifi
config wireless-controller vap
edit "wifi"
set vdom "root"
set ssid "CertTest-WPA2"
set security wpa2-only-enterprise
set auth usergroup
set usergroup "LOCALS"
set schedule "always"
next
end
Fortinet_Wifi# show user group LOCALS
config user group
edit "LOCALS"
set member "userlocal"
next
end
Fortinet_Wifi# show user local userlocal
config user local
edit "userlocal"
set type password
set passwd-time 2019-05-19 06:51:10
set passwd ENC
AmbnT416FswGb1me/sdLbivJ+oCg1QGmrLJToQVJEPJGbdIp8cx8Oheg7/j4UXVh4LFRS6viSbJfY93zKOUybUi1GQIJN9Sk4DDJnlu406kygucIu7HW2jRPfBquQV6L8MIRLf5ZHUt25YoaQ0cP+zfJOO7BWCAzgxI6gJR+BNVFBYG8aeWPCpHm+P3sG2K1OD5WEg==
next
end
Version: FortiWiFi-61E v5.6.9,build1673,190513 (GA)
Fortinet_Wifi# show wireless-controller vap wifi
config wireless-controller vap
edit "wifi"
set vdom "root"
set ssid "CertTest-WPA2"
set security wpa2-only-enterprise
set auth usergroup
set usergroup "LOCALS"
set schedule "always"
next
end
Fortinet_Wifi# show user group LOCALS
config user group
edit "LOCALS"
set member "userlocal"
next
end
Fortinet_Wifi# show user local userlocal
config user local
edit "userlocal"
set type password
set passwd-time 2019-05-19 06:51:10
set passwd ENC
AmbnT416FswGb1me/sdLbivJ+oCg1QGmrLJToQVJEPJGbdIp8cx8Oheg7/j4UXVh4LFRS6viSbJfY93zKOUybUi1GQIJN9Sk4DDJnlu406kygucIu7HW2jRPfBquQV6L8MIRLf5ZHUt25YoaQ0cP+zfJOO7BWCAzgxI6gJR+BNVFBYG8aeWPCpHm+P3sG2K1OD5WEg==
next
end
Certificate validity can be checked from GUI providing the option is enabled:
System → Certificates → Fortinet_Wifi
Any FortiGate with 'Fortinet_Wifi' certificate showing an expiry date of 2019-05-24 could be impacted.
Scope
Possibly Affected Products:
Any FortiGate Model running FortiOS 5.6 version or lower.
FortiWifi using internal Wifi and FortiGate/FortiWifi devices configured as Wireless controllers and managing FortiAP(s) as long as the users are configured to authenticate using WPA2 Enterprise with local users.
Solution
There are several options to prevent the certificate expiry from occurring.
Option 1: Create a new certificate
Create a new certificate as shown in the example below.
Then have the certificate signed as an intermediate non-signing CA by the CA or a 3rd party CA.
Further details can be found on the Fortinet documentation site Replacing the Fortinet_Wifi certificate.
Option 2: Upgrade to the latest FortiOS firmware
Starting with FortiOS 6.0.1, the 'Fortinet_Wifi' certificate is updated periodically and automatically through FortiGuard.
The same applies for v7.0.x, v7.2.x, v7.4.x, 7v.6.x:
The built-in 'Fortinet_Wifi certificate', will be updated automatically via the FortiGuard, categorised under Certificate Bundle.
Another way to renew an expired firewall built-in certificate is to upgrade the firewall firmware.
Refer here for more information: Technical Tip: Renew Certificate Expired on FortiGate
Technical Support Contact Information can be found here.
Fortinet Technical Support home page can be found here.
Fortinet Technical Support home page can be found here.
