Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Cookbook

    5.6.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.0
    6.0.0
    5.6.0
    5.4.0

    Replacing the Fortinet_Wifi certificate

    Replacing the Fortinet_Wifi certificate

    Note

    These instruction apply to FortiWiFi devices using internal WiFi radios and FortiGate/FortiWiFi devices configured as WiFi Controllers that manage FortiAP devices, and have WiFi clients that are connected to WPA2-Enterprise SSID and authenticated with local user groups.

    On FortiOS, the built-in Fortinet_Wifi certificate is a publicly signed certificate that is only used in WPA2-Enterprise SSIDs with local user-group authentication. The default WiFi certificate configuration is:

    config system global

    set wifi-ca-certificate "Fortinet_Wifi_CA"

    set wifi-certificate "Fortinet_Wifi"

    end

    WiFi administrators must consider the following factors:

    • The Fortinet_Wifi certificate is issued to Fortinet Inc. with the common name (CN) auth-cert.fortinet.com. If an organization requires its own CN in their WiFi deployment, they must replace it with their own certificate.
    • The Fortinet_Wifi certificate has an expiry date. When it is expires, renew or replace it with a new certificate.
    To replace the Fortinet_Wifi certificate:
    1. Get new certificate files, including a root CA certificate, a certificate signed by the CA, and the corresponding private key file.

      You can purchase a publicly signed certificate from a commercial certificate service provider or generate a self-signed certificate.

    2. Import the new certificate files into FortiOS:
      1. On the FortiGate, go to System > Certificates.

        If VDOMs are enable, got to Global > System > Certificates.

      2. Click Import > CA Certificate.
      3. Set the Type to File and upload the CA certificate file from the management computer.

      4. Click OK.

        The imported CA certificate name is CA_Cert_N (or G_CA_Cert_N if VDOMs are enabled), where N starts at 1 and increments for each imported certificate, and G stands for global range.

      5. Click Import > Local Certificate.
      6. Set Type to Certificate, upload the Certificate file and Key file, enter the Password and enter the Certificate Name.

      7. Click OK.

        The Certificates page lists the imported certificates.

    3. Change the WiFi certificate settings:
      config system global
    set wifi-ca-certificate <name of the imported CA certificate>
    set wifi-certificate <name of the imported certificate signed by the CA>
end

    If necessary, use the factory default certificates to replace the certificates:

    config system global
    set wifi-ca-certificate "Fortinet_CA"
    set wifi-certificate "Fortinet_Factory"
end

    As the factory default certificates are self-signed, WiFi clients need to accept it at the connection prompt or import the Fortinet_CA certificate to validate it.

    If the built-in Fortinet_Wifi certificate has expired and not been renewed or replaced, WiFi clients can still connect to the WPA2‑Enterprise SSID with local user-group authentication by ignoring warning messages or bypassing Validate server certificate (or similar) options.
    Previous
    Next

    Replacing the Fortinet_Wifi certificate

    Replacing the Fortinet_Wifi certificate

    Note

    These instruction apply to FortiWiFi devices using internal WiFi radios and FortiGate/FortiWiFi devices configured as WiFi Controllers that manage FortiAP devices, and have WiFi clients that are connected to WPA2-Enterprise SSID and authenticated with local user groups.

    On FortiOS, the built-in Fortinet_Wifi certificate is a publicly signed certificate that is only used in WPA2-Enterprise SSIDs with local user-group authentication. The default WiFi certificate configuration is:

    config system global

    set wifi-ca-certificate "Fortinet_Wifi_CA"

    set wifi-certificate "Fortinet_Wifi"

    end

    WiFi administrators must consider the following factors:

    • The Fortinet_Wifi certificate is issued to Fortinet Inc. with the common name (CN) auth-cert.fortinet.com. If an organization requires its own CN in their WiFi deployment, they must replace it with their own certificate.
    • The Fortinet_Wifi certificate has an expiry date. When it is expires, renew or replace it with a new certificate.
    To replace the Fortinet_Wifi certificate:
    1. Get new certificate files, including a root CA certificate, a certificate signed by the CA, and the corresponding private key file.

      You can purchase a publicly signed certificate from a commercial certificate service provider or generate a self-signed certificate.

    2. Import the new certificate files into FortiOS:
      1. On the FortiGate, go to System > Certificates.

        If VDOMs are enable, got to Global > System > Certificates.

      2. Click Import > CA Certificate.
      3. Set the Type to File and upload the CA certificate file from the management computer.

      4. Click OK.

        The imported CA certificate name is CA_Cert_N (or G_CA_Cert_N if VDOMs are enabled), where N starts at 1 and increments for each imported certificate, and G stands for global range.

      5. Click Import > Local Certificate.
      6. Set Type to Certificate, upload the Certificate file and Key file, enter the Password and enter the Certificate Name.

      7. Click OK.

        The Certificates page lists the imported certificates.

    3. Change the WiFi certificate settings:
      config system global
    set wifi-ca-certificate <name of the imported CA certificate>
    set wifi-certificate <name of the imported certificate signed by the CA>
end

    If necessary, use the factory default certificates to replace the certificates:

    config system global
    set wifi-ca-certificate "Fortinet_CA"
    set wifi-certificate "Fortinet_Factory"
end

    As the factory default certificates are self-signed, WiFi clients need to accept it at the connection prompt or import the Fortinet_CA certificate to validate it.

    If the built-in Fortinet_Wifi certificate has expired and not been renewed or replaced, WiFi clients can still connect to the WPA2‑Enterprise SSID with local user-group authentication by ignoring warning messages or bypassing Validate server certificate (or similar) options.
    Previous
    Next