Fortinet Document Library

Version:


Table of Contents

FortiWiFi and FortiAP Cookbook

6.4.0
Download PDF
Copy Link

Replacing WiFi certificate

You can replace the built-in WiFi certificate with one you upload.

Note

These instruction apply to FortiWiFi devices using internal WiFi radios and FortiGate/FortiWiFi devices configured as WiFi Controllers that are managing FortiAP devices, and have WiFi clients that are connected to WPA2-Enterprise SSID and authenticated with local user groups.

On FortiOS, the built-in Fortinet_Wifi certificate is a publicly signed certificate that is only used in WPA2-Enterprise SSIDs with local user-group authentication. The default WiFi certificate configuration is:

config system global
    set wifi-ca-certificate "Fortinet_Wifi_CA"
    set wifi-certificate "Fortinet_Wifi"
end

Consider the following factors:

  • The Fortinet_Wifi certificate is issued to Fortinet Inc. with common name (CN) auth-cert.fortinet.com. If a company or organization requires their own CN in their WiFi deployment, they must replace it with their own certificate.
  • The Fortinet_Wifi certificate has an expiry date. When it expires, it must be renewed or replaced with a new certificate.
To replace a WiFi certificate:
  1. Get new certificate files, including a root CA certificate, a certificate signed by the CA, and the corresponding private key file.

    You can purchase a publicly signed certificate from a commercial certificate service provider or generate a self-signed certificate.

  2. Import the new certificate files into FortiOS:
    1. In FortiGate, go to System > Certificates.

      If VDOMs are enabled, go to Global > System > Certificates.

    2. Click Import > CA Certificate.
    3. Set the Type to File and upload the CA certificate file from the management computer.

    4. Click OK.

      The imported CA certificate is named CA_Cert_N or G_CA_Cert_N when VDOMs are enabled, where N starts from 1 and increments for each imported certificate, and G stands for global range.

    5. Click Import > Local Certificate.
    6. Set the Type to Certificate, upload the certificate file and key file, enter the password, and enter the certificate name.

    7. Click OK.

      The imported certificates are listed on the Certificates page.

  3. Change the WiFi certificate settings:
    1. Go to System > Settings and scroll down to the WiFi Settings section.
    2. In the WiFi certificate dropdown menu, select the imported local certificate.
    3. In the WiFi CA certificate dropdown menu, select the imported CA certificate.

    4. Click Apply.
To replace a WiFi certificate using the CLI:
config system global
    set wifi-ca-certificate <name of the imported CA certificate>
    set wifi-certificate <name of the imported certificate signed by the CA>
end
To restore the factory default WiFi certificates using the CLI:
config system global
    set wifi-ca-certificate "Fortinet_CA"
    set wifi-certificate "Fortinet_Factory"
end

As the factory default certificates are self-signed, WiFi clients need to accept it at the connection prompt or import the Fortinet_CA certificate to validate it.

Additional Information

The Fortinet_Wifi certificate can be updated automatically through the FortiGuard service certificate bundle update.

If the built-in Fortinet_Wifi certificate has expired and not been renewed or replaced, WiFi clients can still connect to the WPA2‑Enterprise SSID with local user-group authentication by ignoring any warning messages or bypassing Validate server certificate (or similar) options.

Replacing WiFi certificate

You can replace the built-in WiFi certificate with one you upload.

Note

These instruction apply to FortiWiFi devices using internal WiFi radios and FortiGate/FortiWiFi devices configured as WiFi Controllers that are managing FortiAP devices, and have WiFi clients that are connected to WPA2-Enterprise SSID and authenticated with local user groups.

On FortiOS, the built-in Fortinet_Wifi certificate is a publicly signed certificate that is only used in WPA2-Enterprise SSIDs with local user-group authentication. The default WiFi certificate configuration is:

config system global
    set wifi-ca-certificate "Fortinet_Wifi_CA"
    set wifi-certificate "Fortinet_Wifi"
end

Consider the following factors:

  • The Fortinet_Wifi certificate is issued to Fortinet Inc. with common name (CN) auth-cert.fortinet.com. If a company or organization requires their own CN in their WiFi deployment, they must replace it with their own certificate.
  • The Fortinet_Wifi certificate has an expiry date. When it expires, it must be renewed or replaced with a new certificate.
To replace a WiFi certificate:
  1. Get new certificate files, including a root CA certificate, a certificate signed by the CA, and the corresponding private key file.

    You can purchase a publicly signed certificate from a commercial certificate service provider or generate a self-signed certificate.

  2. Import the new certificate files into FortiOS:
    1. In FortiGate, go to System > Certificates.

      If VDOMs are enabled, go to Global > System > Certificates.

    2. Click Import > CA Certificate.
    3. Set the Type to File and upload the CA certificate file from the management computer.

    4. Click OK.

      The imported CA certificate is named CA_Cert_N or G_CA_Cert_N when VDOMs are enabled, where N starts from 1 and increments for each imported certificate, and G stands for global range.

    5. Click Import > Local Certificate.
    6. Set the Type to Certificate, upload the certificate file and key file, enter the password, and enter the certificate name.

    7. Click OK.

      The imported certificates are listed on the Certificates page.

  3. Change the WiFi certificate settings:
    1. Go to System > Settings and scroll down to the WiFi Settings section.
    2. In the WiFi certificate dropdown menu, select the imported local certificate.
    3. In the WiFi CA certificate dropdown menu, select the imported CA certificate.

    4. Click Apply.
To replace a WiFi certificate using the CLI:
config system global
    set wifi-ca-certificate <name of the imported CA certificate>
    set wifi-certificate <name of the imported certificate signed by the CA>
end
To restore the factory default WiFi certificates using the CLI:
config system global
    set wifi-ca-certificate "Fortinet_CA"
    set wifi-certificate "Fortinet_Factory"
end

As the factory default certificates are self-signed, WiFi clients need to accept it at the connection prompt or import the Fortinet_CA certificate to validate it.

Additional Information

The Fortinet_Wifi certificate can be updated automatically through the FortiGuard service certificate bundle update.

If the built-in Fortinet_Wifi certificate has expired and not been renewed or replaced, WiFi clients can still connect to the WPA2‑Enterprise SSID with local user-group authentication by ignoring any warning messages or bypassing Validate server certificate (or similar) options.