FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article provides a general guide on how to change the Captive Portal certificate when a custom certificate must be used to avoid security warnings on the browser.
This procedure assumes the custom certificate has already been loaded onto the FortiGate device and that an A register in the DNS server has been created to resolve the URL used in the authentication redirect.
Set the custom certificate for the authentication portal as shown below:
For FortiOS 6.4.x and above, it is under User & Authentication > Authentication Settings.
Configure the redirection so the authentication URL matches the certificate CN:
config firewall auth-portal
set portal-addr fortigatename.domain.com
It is recommended to use a wildcard certificate so any subdomain can be 'covered' by the same certificate. For example: CN= *.domain.com.
A redirection must be configured on the FortiGate to make sure the authentication portal URL matches the certificate CN (step 2). If this is not configured, the FortiGate will use its IP address to do the redirection and the URL will not match the certificate CN causing a browser security warning to appear.
A DNS entry (A register) must be added in the DNS server so computers can resolve the name configured in the redirection to the IP address of the FortiGate's interface where the Captive Portal is configured.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.