Technical Tip: How to generate a self signed certificate from FortiGate

FortiGate can generate a certificate using our self-signed: CA: Fortinet_CA_SSL

Using a server certificate from a trusted CA is strongly recommended.

Follow the below steps to generate a self-signed certificate.

1) Go to System -> Certificates and select 'Create / Import'.

Select 'Certificate'.

2) Select the option to generate the certificate.

3) Once it opens, fill up the details as per the requirement.

Ensure that common name and subject alternative name are the ones that will be used to access the FortiGate or captive portal.

If the unit is to be accessed with an IP address fill in the same here.

To use the domain in these fields, A DNS record has to be created on the local DNS server so that it resolves to this IP.

To redirect users to captive portal FQDN instead of IP address use the below command.

# config firewall auth-portal
    set portal-addr "fortinet-portal.company.abc"
end

Ensure that  the CA certificate is downloaded in the above screenshot to avoid certificate errors.

This can be pushed to clients using Windows AD GPO.

Certificate for captive can be set in User & Authentication -> Authentication Settings.

To apply it on FortiGate admin login, Go to System -> Settings -> Administration Settings -> HTTPS Server Certificate.