Hello Team,
We’d like to acquire an SSL certificate to use in the Guest Portal of FortiAuthenticator, but I have some doubts:
- The certificate needs to be issued to a public domain (public dns resolvable) or could I use a local domain (mycompany.local)?
Example, issuing the certificate to the CN fac.mycompany.local would work? I ask it, because the company doesn’t have a public domain (mycompany.com, for example).
The second and last doubt is if I can use a certificate with wildcard, for example issued to *.mycompany.local, is that possible in the FortiAuthenticator? And in the FortiGate, is that possible to use certificate with wildcard too?
Cheers,
Gui
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Dear Gui,
- You can set any server certificate on FortiAuthenticator you want
-> your clients simply need to trust it
-> ideally, you want to ensure that the certificate subject matches FortiAuthenticator hostname (if your users access the captive portal via hostname) or the Subject Alternative Name includes the FortiAuthenticator's IP
-> if you go the hostname route, your clients need to be able to resolve it (via an internal DNS for example)
-> You can use the same wildcard certificate for FortiAuthenticator and FortiGate, provided their hostnames match the wildcard certificate
Dear Gui,
- You can set any server certificate on FortiAuthenticator you want
-> your clients simply need to trust it
-> ideally, you want to ensure that the certificate subject matches FortiAuthenticator hostname (if your users access the captive portal via hostname) or the Subject Alternative Name includes the FortiAuthenticator's IP
-> if you go the hostname route, your clients need to be able to resolve it (via an internal DNS for example)
-> You can use the same wildcard certificate for FortiAuthenticator and FortiGate, provided their hostnames match the wildcard certificate
Hello Debbie,
I hope you are doing very well.
Thanks for your reply.
So, even with a Certificate issued by a trusted (public) CA, I can insert a hostname with a .local domain, correct? I was thinking that public certificate only works with public domains.
Once we will use this certificate for guest users, we will acquire a certificate from a trusted CA, like DigiCert, so the guest's browser natively trusts the certificate.
That should work, to my knowledge - your clients do need an internal DNS though, to resolve the .local domain of FortiAuthenticator/FortiGate.
Thank you very much!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.