Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
GohanC
New Contributor III

Created on ‎02-24-2022 05:40 PM Edited on ‎02-24-2022 05:40 PM

SSL Certificate for Fortigate and FortiAuthenticator

Hello Team,

 

We’d like to acquire an SSL certificate to use in the Guest Portal of FortiAuthenticator, but I have some doubts:

 

- The certificate needs to be issued to a public domain (public dns resolvable) or could I use a local domain (mycompany.local)?

 

Example, issuing the certificate to the CN fac.mycompany.local would work? I ask it, because the company doesn’t have a public domain (mycompany.com, for example).

 

The second and last doubt is if I can use a certificate with wildcard, for example issued to *.mycompany.local, is that possible in the FortiAuthenticator ? And in the  FortiGate , is that possible to use certificate with wildcard too?

 

Cheers,

Gui

 

 

Regards,
Guilherme
Regards,Guilherme
2526
0 Kudos
1 Solution
Debbie_FTNT
Staff
Staff

Created on ‎02-25-2022 06:02 AM

Dear Gui,

 

- You can set any server certificate on FortiAuthenticator you want

-> your clients simply need to trust it

-> ideally, you want to ensure that the certificate subject matches FortiAuthenticator hostname (if your users access the captive portal via hostname) or the Subject Alternative Name includes the FortiAuthenticator's IP

-> if you go the hostname route, your clients need to be able to resolve it (via an internal DNS for example)
-> You can use the same wildcard certificate for FortiAuthenticator and FortiGate, provided their hostnames match the wildcard certificate

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

2512
4 REPLIES 4
Debbie_FTNT
Staff
Staff

Created on ‎02-25-2022 06:02 AM

Dear Gui,

 

- You can set any server certificate on FortiAuthenticator you want

-> your clients simply need to trust it

-> ideally, you want to ensure that the certificate subject matches FortiAuthenticator hostname (if your users access the captive portal via hostname) or the Subject Alternative Name includes the FortiAuthenticator's IP

-> if you go the hostname route, your clients need to be able to resolve it (via an internal DNS for example)
-> You can use the same wildcard certificate for FortiAuthenticator and FortiGate, provided their hostnames match the wildcard certificate

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
2513
GohanC
New Contributor III
In response to Debbie_FTNT

Created on ‎02-25-2022 06:20 AM

Hello Debbie,

I hope you are doing very well.

 

Thanks for your reply.

 

So, even with a Certificate issued by a trusted (public) CA, I can insert a hostname with a .local domain, correct? I was thinking that public certificate only works with public domains.

 

Once we will use this certificate for guest users, we will acquire a certificate from a trusted CA, like DigiCert, so the guest's browser natively trusts the certificate.

Regards,
Guilherme
Regards,Guilherme
2457
0 Kudos
Debbie_FTNT
Staff
Staff
In response to GohanC

Created on ‎02-25-2022 06:26 AM

That should work, to my knowledge - your clients do need an internal DNS though, to resolve the .local domain of FortiAuthenticator/FortiGate.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
2456
GohanC
New Contributor III
In response to Debbie_FTNT

Created on ‎02-25-2022 06:27 AM

Thank you very much!

Regards,
Guilherme
Regards,Guilherme
2454
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.