Create and Install SSL Certificates
Requirements
-
FortiNAC hostnames to be secured by the certificates (certificates required on all FortiNAC appliances)
-
Hostname used for the Portal can be different than the actual hostname of the appliance. This is beneficial when using a combination of internal and external certificates. Setting the Portal hostname differently also prevents revealing the actual appliance hostname to users interacting with the Portal. See uses cases below for examples.
-
High Availability (HA) environments:
-
For ease of configuration, it is recommended to install certificates in both appliances prior to configuring HA. If some certificates must be installed after HA is configured, see pages 5 and 6 of the SSL Certificates How To in the Fortinet Document Library for instructions.
-
If a Virtual IP Address (VIP) will be used in a L2 HA configuration, VIP hostname will also need to be secured
-
Procedure
-
Determine use cases so the appropriate certificates can be acquired. FortiNAC can use SSL certificates issued by either an internal or public (external) Certificate Authority (CA). Note: Different certificates can be installed for different components.
-
Navigate to System > Certificate Management.
-
Generate a certificate (if not already generated). Then install the certificate on all appliances. For instructions, refer to the SSL Certificates How To in the Fortinet Document Library.
-
Upload certificates to the Admin UI first (if UI is going to be secured).
-
Logout of the Admin UI and reconnect using the following URL:
https:// <FortiNAC Server Host Name included in certificate>:8443/
If browser reports certificate is not secure, an intermediate certificate may be missing. See related KB article 190860.
Proceed to next step.
What certificate should be used?
Review the following use case examples to help determine the most applicable certificate for your environment.
What the certificates are used for
Component |
Function |
Certificate to Use |
---|---|---|
Administration UI |
Access to the FortiNAC UI |
Internal or External |
Persistent Agent |
Persistent Agent communication |
Internal or External |
Portal |
Captive Portal access and Dissolvable Agent communication |
External |
Local RADIUS Server (EAP) |
For use when FortiNAC is acting as the 802.1x EAP termination point. |
Internal or External (avoid wildcard certificates) |
RADIUS Endpoint Trust |
Client-side certificate validation (EAP-TLS) |
Internal or External (avoid wildcard certificates)
|
Use Case Examples
Example 1
The certificate is an Internal CA & 3rd Party RADIUS Server.
This can be used in the following cases:
-
Computers to be used for Administration UI access have the company’s internal CA root certificate installed
-
Company-owned computers requiring the Persistent Agent to be installed also have the internal CA root certificate
-
BYOD devices will be on-boarded via Captive Portal
-
FortiNAC will manage wireless clients but will proxy RADIUS to 3rd party RADIUS Server
In these use cases, 2 certificates will be required (1 internal and 1 external).
Hostname to Secure (Subject) |
Certificate |
Component(s) |
---|---|---|
FNACname1.intdomainname.com |
Internal |
Administration UI Persistent Agent |
FNACname2.extdomainname.com |
External |
Portal
|
Example 2
The certificate is an Internal CA & Local RADIUS Server.
This can be used in the following cases:
-
Computers to be used for Administration UI access have the company’s internal CA root certificate installed
-
Company owned computers require the Persistent Agent be installed also have the internal CA root certificate
-
Local RADIUS Server (EAP): Use internal certificate
-
RADIUS Endpoint Trust: Use internal certificate
-
BYOD devices will be on-boarded via Captive Portal
In this use case, 2 certificates will be required (1 internal and 1 external).
Hostname to Secure (Subject) |
Certificate |
Component(s) |
---|---|---|
FNACname1.intdomainname.com |
Internal |
Administration UI Persistent Agent Local RADIUS Server (EAP) RADIUS Endpoint Trust
|
FNACname2.extdomainname.com |
External |
Portal
|
Example 3: No Internal CA & Local RADIUS Server
-
Admin UI: Use external certificate
-
Persistent Agent: Use internal certificate
-
Portal: Use external certificate
In this use case, 1 certificate will be required (external).
Hostname to Secure (Subject) |
Certificate |
Component(s) |
---|---|---|
FNACname2.extdomainname.com |
External |
Administration UI Persistent Agent Portal Local RADIUS Server (EAP) RADIUS Endpoint Trust
|
Once completed, proceed to the next step.