FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 196406



This article provides a general guide on how to change the Captive Portal certificate when a custom certificate must be used to avoid security warnings on the browser.

This procedure assumes the custom certificate has already been loaded onto the FortiGate device and that an A register in the DNS server has been created to resolve the URL used in the authentication redirect.



  1. Set the custom certificate for the authentication portal as shown below:


For FortiOS 6.4.x and above, it is under User & Authentication > Authentication Settings.

auth setting.PNG


  1.  Configure the redirection so the authentication URL matches the certificate CN:


config firewall auth-portal

    set portal-addr



  • It is recommended to use a wildcard certificate so any subdomain can be 'covered' by the same certificate.  For example: CN= *
  • A redirection must be configured on the FortiGate to make sure the authentication portal URL matches the certificate CN (step 2).  If this is not configured, the FortiGate will use its IP address to do the redirection and the URL will not match the certificate CN causing a browser security warning to appear.
  •  A DNS entry (A register) must be added in the DNS server so computers can resolve the name configured in the redirection to the IP address of the FortiGate's interface where the Captive Portal is configured.