Fortinet black logo

Cookbook

Home FortiGate / FortiOS 5.6.0 Cookbook

Replacing the Fortinet_Wifi certificate

5.6.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.0
6.0.0
5.6.0
5.4.0
Copy Link
Copy Doc ID 4d801240-7ccc-11e9-81a4-00505692583a:329069
Download PDF

Replacing the Fortinet_Wifi certificate

Note

These instruction apply to FortiWiFi devices using internal WiFi radios and FortiGate/FortiWiFi devices configured as WiFi Controllers that manage FortiAP devices, and have WiFi clients that are connected to WPA2-Enterprise SSID and authenticated with local user groups.

On FortiOS, the built-in Fortinet_Wifi certificate is a publicly signed certificate that is only used in WPA2-Enterprise SSIDs with local user-group authentication. The default WiFi certificate configuration is:

config system global

set wifi-ca-certificate "Fortinet_Wifi_CA"

set wifi-certificate "Fortinet_Wifi"

end

WiFi administrators must consider the following factors:

  • The Fortinet_Wifi certificate is issued to Fortinet Inc. with the common name (CN) auth-cert.fortinet.com. If an organization requires its own CN in their WiFi deployment, they must replace it with their own certificate.
  • The Fortinet_Wifi certificate has an expiry date. When it is expires, renew or replace it with a new certificate.
To replace the Fortinet_Wifi certificate:
  1. Get new certificate files, including a root CA certificate, a certificate signed by the CA, and the corresponding private key file.

    You can purchase a publicly signed certificate from a commercial certificate service provider or generate a self-signed certificate.

  2. Import the new certificate files into FortiOS:
    1. On the FortiGate, go to System > Certificates.

      If VDOMs are enable, got to Global > System > Certificates.

    2. Click Import > CA Certificate.
    3. Set the Type to File and upload the CA certificate file from the management computer.

    4. Click OK.

      The imported CA certificate name is CA_Cert_N (or G_CA_Cert_N if VDOMs are enabled), where N starts at 1 and increments for each imported certificate, and G stands for global range.

    5. Click Import > Local Certificate.
    6. Set Type to Certificate, upload the Certificate file and Key file, enter the Password and enter the Certificate Name.

    7. Click OK.

      The Certificates page lists the imported certificates.

  3. Change the WiFi certificate settings:
    config system global
    set wifi-ca-certificate <name of the imported CA certificate>
    set wifi-certificate <name of the imported certificate signed by the CA>
end

If necessary, use the factory default certificates to replace the certificates:

config system global
    set wifi-ca-certificate "Fortinet_CA"
    set wifi-certificate "Fortinet_Factory"
end

As the factory default certificates are self-signed, WiFi clients need to accept it at the connection prompt or import the Fortinet_CA certificate to validate it.

If the built-in Fortinet_Wifi certificate has expired and not been renewed or replaced, WiFi clients can still connect to the WPA2‑Enterprise SSID with local user-group authentication by ignoring warning messages or bypassing Validate server certificate (or similar) options.
Previous
Next

Replacing the Fortinet_Wifi certificate

Note

These instruction apply to FortiWiFi devices using internal WiFi radios and FortiGate/FortiWiFi devices configured as WiFi Controllers that manage FortiAP devices, and have WiFi clients that are connected to WPA2-Enterprise SSID and authenticated with local user groups.

On FortiOS, the built-in Fortinet_Wifi certificate is a publicly signed certificate that is only used in WPA2-Enterprise SSIDs with local user-group authentication. The default WiFi certificate configuration is:

config system global

set wifi-ca-certificate "Fortinet_Wifi_CA"

set wifi-certificate "Fortinet_Wifi"

end

WiFi administrators must consider the following factors:

  • The Fortinet_Wifi certificate is issued to Fortinet Inc. with the common name (CN) auth-cert.fortinet.com. If an organization requires its own CN in their WiFi deployment, they must replace it with their own certificate.
  • The Fortinet_Wifi certificate has an expiry date. When it is expires, renew or replace it with a new certificate.
To replace the Fortinet_Wifi certificate:
  1. Get new certificate files, including a root CA certificate, a certificate signed by the CA, and the corresponding private key file.

    You can purchase a publicly signed certificate from a commercial certificate service provider or generate a self-signed certificate.

  2. Import the new certificate files into FortiOS:
    1. On the FortiGate, go to System > Certificates.

      If VDOMs are enable, got to Global > System > Certificates.

    2. Click Import > CA Certificate.
    3. Set the Type to File and upload the CA certificate file from the management computer.

    4. Click OK.

      The imported CA certificate name is CA_Cert_N (or G_CA_Cert_N if VDOMs are enabled), where N starts at 1 and increments for each imported certificate, and G stands for global range.

    5. Click Import > Local Certificate.
    6. Set Type to Certificate, upload the Certificate file and Key file, enter the Password and enter the Certificate Name.

    7. Click OK.

      The Certificates page lists the imported certificates.

  3. Change the WiFi certificate settings:
    config system global
    set wifi-ca-certificate <name of the imported CA certificate>
    set wifi-certificate <name of the imported certificate signed by the CA>
end

If necessary, use the factory default certificates to replace the certificates:

config system global
    set wifi-ca-certificate "Fortinet_CA"
    set wifi-certificate "Fortinet_Factory"
end

As the factory default certificates are self-signed, WiFi clients need to accept it at the connection prompt or import the Fortinet_CA certificate to validate it.

If the built-in Fortinet_Wifi certificate has expired and not been renewed or replaced, WiFi clients can still connect to the WPA2‑Enterprise SSID with local user-group authentication by ignoring warning messages or bypassing Validate server certificate (or similar) options.
Previous
Next