Fortinet black logo

Cookbook

Replacing the Fortinet_Wifi certificate

Copy Link
Copy Doc ID a4a06ec3-12a7-11e9-b86b-00505692583a:329069
Download PDF

Replacing the Fortinet_Wifi certificate

Note

These instruction apply to FortiWiFi devices using internal WiFi radios and FortiGate/FortiWiFi devices configured as WiFi Controllers that are managing FortiAP devices, and have WiFi clients that are connected to WPA2-Enterprise SSID and authenticated with local user groups.

On FortiOS, the built-in Fortinet_Wifi certificate is a publicly signed certificate that is only used in WPA2-Enterprise SSIDs with local user-group authentication. The default WiFi certificate configuration is:

config system global
    set wifi-ca-certificate "Fortinet_Wifi_CA"
    set wifi-certificate "Fortinet_Wifi"
end

WiFi administrators must consider the following factors:

  • The Fortinet_Wifi certificate is issued to Fortinet Inc. with common name (CN) auth-cert.fortinet.com. If a company or organization requires their own CN in their WiFi deployment, they must replace it with their own certificate.
  • The Fortinet_Wifi certificate has an expire date. When it is expiring, it must be renewed or replaced with a new certificate.
To replace the Fortinet_Wifi certificate:
  1. Get new certificate files, including a root CA certificate, a certificate signed by the CA, and the corresponding private key file:

    Purchase a publicly signed certificate from a commercial certificate service provider, or generate a self-signed certificate.

  2. Import the new certificate files into FortiOS:
    1. On the FortiGate, go to System > Certificates.

      If VDOMs are enable, got to Global > System > Certificates.

    2. Click Import > CA Certificate.
    3. Set the Type to File and upload the CA certificate file from the management computer.

    4. Click OK.

      The imported CA certificate is named CA_Cert_N, or G_CA_Cert_N when VDOMs are enabled, where N starts from 1 and increments for each imported certificate, and G stands for global range.

    5. Click Import > Local Certificate.
    6. Set the Type to Certificate, upload the certificate file and key file, enter the password, and enter the certificate name.

    7. Click OK.

      The imported certificates are listed on the Certificates page.

  3. Change the WiFi certificate settings:
    config system global
        set wifi-ca-certificate <name of the imported CA certificate>
        set wifi-certificate <name of the imported certificate signed by the CA>
    end

Notes

Note

If necessary, the factory default certificates can also be used to replace the certificates:

config system global
    set wifi-ca-certificate "Fortinet_CA"
    set wifi-certificate "Fortinet_Factory"
end

As the factory default certificates are self-signed, WiFi clients will need to accept it at the connection prompt, or import the Fortinet_CA certificate to validate it.

Caution

If the built-in Fortinet_Wifi certificate has expired and not been renewed or replaced, WiFi clients can still connect to the WPA2‑Enterprise SSID with local user-group authentication by ignoring any prompted warning messages or bypassing Validate server certificate (or similar) options.

Tooltip

With FortiOS 6.0.1 and later, the Fortinet_Wifi certificate can be updated automatically through the FortiGuard service certificate bundle update.

Replacing the Fortinet_Wifi certificate

Note

These instruction apply to FortiWiFi devices using internal WiFi radios and FortiGate/FortiWiFi devices configured as WiFi Controllers that are managing FortiAP devices, and have WiFi clients that are connected to WPA2-Enterprise SSID and authenticated with local user groups.

On FortiOS, the built-in Fortinet_Wifi certificate is a publicly signed certificate that is only used in WPA2-Enterprise SSIDs with local user-group authentication. The default WiFi certificate configuration is:

config system global
    set wifi-ca-certificate "Fortinet_Wifi_CA"
    set wifi-certificate "Fortinet_Wifi"
end

WiFi administrators must consider the following factors:

  • The Fortinet_Wifi certificate is issued to Fortinet Inc. with common name (CN) auth-cert.fortinet.com. If a company or organization requires their own CN in their WiFi deployment, they must replace it with their own certificate.
  • The Fortinet_Wifi certificate has an expire date. When it is expiring, it must be renewed or replaced with a new certificate.
To replace the Fortinet_Wifi certificate:
  1. Get new certificate files, including a root CA certificate, a certificate signed by the CA, and the corresponding private key file:

    Purchase a publicly signed certificate from a commercial certificate service provider, or generate a self-signed certificate.

  2. Import the new certificate files into FortiOS:
    1. On the FortiGate, go to System > Certificates.

      If VDOMs are enable, got to Global > System > Certificates.

    2. Click Import > CA Certificate.
    3. Set the Type to File and upload the CA certificate file from the management computer.

    4. Click OK.

      The imported CA certificate is named CA_Cert_N, or G_CA_Cert_N when VDOMs are enabled, where N starts from 1 and increments for each imported certificate, and G stands for global range.

    5. Click Import > Local Certificate.
    6. Set the Type to Certificate, upload the certificate file and key file, enter the password, and enter the certificate name.

    7. Click OK.

      The imported certificates are listed on the Certificates page.

  3. Change the WiFi certificate settings:
    config system global
        set wifi-ca-certificate <name of the imported CA certificate>
        set wifi-certificate <name of the imported certificate signed by the CA>
    end

Notes

Note

If necessary, the factory default certificates can also be used to replace the certificates:

config system global
    set wifi-ca-certificate "Fortinet_CA"
    set wifi-certificate "Fortinet_Factory"
end

As the factory default certificates are self-signed, WiFi clients will need to accept it at the connection prompt, or import the Fortinet_CA certificate to validate it.

Caution

If the built-in Fortinet_Wifi certificate has expired and not been renewed or replaced, WiFi clients can still connect to the WPA2‑Enterprise SSID with local user-group authentication by ignoring any prompted warning messages or bypassing Validate server certificate (or similar) options.

Tooltip

With FortiOS 6.0.1 and later, the Fortinet_Wifi certificate can be updated automatically through the FortiGuard service certificate bundle update.