- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL Certificate for Fortigate and FortiAuthenticator
Hello Team,
We’d like to acquire an SSL certificate to use in the Guest Portal of FortiAuthenticator, but I have some doubts:
- The certificate needs to be issued to a public domain (public dns resolvable) or could I use a local domain (mycompany.local)?
Example, issuing the certificate to the CN fac.mycompany.local would work? I ask it, because the company doesn’t have a public domain (mycompany.com, for example).
The second and last doubt is if I can use a certificate with wildcard, for example issued to *.mycompany.local, is that possible in the FortiAuthenticator ? And in the FortiGate , is that possible to use certificate with wildcard too?
Cheers,
Gui
Guilherme
Solved! Go to Solution.
- Labels:
-
FortiAuthenticator v5.5
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Gui,
- You can set any server certificate on FortiAuthenticator you want
-> your clients simply need to trust it
-> ideally, you want to ensure that the certificate subject matches FortiAuthenticator hostname (if your users access the captive portal via hostname) or the Subject Alternative Name includes the FortiAuthenticator's IP
-> if you go the hostname route, your clients need to be able to resolve it (via an internal DNS for example)
-> You can use the same wildcard certificate for FortiAuthenticator and FortiGate, provided their hostnames match the wildcard certificate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Gui,
- You can set any server certificate on FortiAuthenticator you want
-> your clients simply need to trust it
-> ideally, you want to ensure that the certificate subject matches FortiAuthenticator hostname (if your users access the captive portal via hostname) or the Subject Alternative Name includes the FortiAuthenticator's IP
-> if you go the hostname route, your clients need to be able to resolve it (via an internal DNS for example)
-> You can use the same wildcard certificate for FortiAuthenticator and FortiGate, provided their hostnames match the wildcard certificate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Debbie,
I hope you are doing very well.
Thanks for your reply.
So, even with a Certificate issued by a trusted (public) CA, I can insert a hostname with a .local domain, correct? I was thinking that public certificate only works with public domains.
Once we will use this certificate for guest users, we will acquire a certificate from a trusted CA, like DigiCert, so the guest's browser natively trusts the certificate.
Guilherme
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That should work, to my knowledge - your clients do need an internal DNS though, to resolve the .local domain of FortiAuthenticator/FortiGate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much!
Guilherme
