Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ryan_www
New Contributor III

FG 7.2.x Change Certificate for SSO SP port 7831

How can you change the SSL certificate presented by the SSO SP on port 7831? 

Changing it under the following places does not seem to work.

 

-User & Auth > SSO

ryan_www_0-1664979001856.png

-User & Auth > Auth Settings > 

ryan_www_1-1664979121412.png

 

I'm using this though an explicit proxy and it just continues to present the factory SSL cert with the FG serial number.

 

6 REPLIES 6
Anthony_E
Community Manager
Community Manager

Hello Ryan,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Ryan,

 

I have found this document:

 

https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/447498/saml-authentication-i...

 

Could you please tell me if it helps?

 

Regards,

Anthony-Fortinet Community Team.
ryan_www
New Contributor III

Hi Anthony,

 

Unfortunately, I just worked though that link and it does not help.  I've tried both self signed and publicly signed certificates and none of them will show on connections to port 7831.  They do work for the regular captive portal.  (not going though the explicit proxy) I even just tried the factory CA certificate as shown in that example, but it did not work either.

 

It is also interesting to note in the last screen shot of that link it looks like they are ignoring the certificate error too.  Notice the yellow warning triangle in the address bar.  Hopefully there is a way to change the SSL certificate presented on port 7831.

 

ryan_www_0-1665513838151.png

 

Thanks for your assistance!

Ryan

 

Anthony_E
Community Manager
Community Manager

Hello Ryan,

 

Thanks a lot for your feedback!

 

I will continue to look for a solution.

 

Regards,

Anthony-Fortinet Community Team.
ryan_www
New Contributor III

You're welcome! 

 

Is there any way to make port 1003 reachable via the explicit proxy using a local in policy rule?  I think that could be a potential short term work around to the issue.

mahmad
Staff
Staff

The following settings will help you to assign the right certificate using FortiGate CLI.

By default, you would see:
FGT # show full web-proxy global
config web-proxy global
set ssl-cert "Fortinet_Factory"
set ssl-ca-cert "Fortinet_CA_SSL"

You should replace the imported SSL Certificate using FortiGate CLI.
config web-proxy global
set ssl-cert "new-ssl-example.com"

Reference:

Technical Tip: Fortiproxy and certificate used for... - Fortinet Community

Labels
Top Kudoed Authors